From: Andy Lutomirski <luto@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Jann Horn <jannh@google.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH bpf-next v2] bpf, seccomp: fix false positive preemption splat for cbpf->ebpf progs
Date: Thu, 21 Feb 2019 16:22:34 -0800 [thread overview]
Message-ID: <CALCETrXeVZqt-Cax9FryP96RRmaMXAe9ezRSz6XiKjdTdDhqdw@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jKb4F7pa5=0bHH9T494Cnk_y=4TxrX2BecrvuvFZPAhaQ@mail.gmail.com>
On Thu, Feb 21, 2019 at 2:14 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Feb 21, 2019 at 12:36 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> > I also would like to touch on your comment:
> > "A lot of changes will be needed for seccomp ebpf"
> > There were two attempts to add it in the past and the patches were
> > small and straightforward.
>
> Yeah, agreed: doing it is technically easy. My concerns have mainly
> revolved around avoiding increased complexity and attack surface.
> There have been, for example, a lot of verifier bugs that were not
> reachable through seccomp's BPF usage, given it enforcing only using a
> subset of cBPF. i.e. seccomp filters couldn't be used as Spectre
> gadgets, etc.
>
> > If I recall correctly both times you nacked them because performance gains
> > and ease of use arguments were not convincing enough, right?
>
> Right. There wasn't, in my opinion enough of a performance benefit vs
> just having efficient BPF to start with.
>
> > Are you still not convinced ?
>
> For now, yeah. I'm sure there will be some future time when a use-case
> appears where gaining some special eBPF hook/feature will outweigh the
> increased attack surface. I haven't seen it yet, but I'm not crazy
> enough to think it'll never happen. (In fact, recently I even had
> Tycho see if he could implement the recent seccomp user notification
> stuff via eBPF.)
>
I consider the potential for much improved performance to be a
maybe-good-enough argument. The down side is that there are programs
that load cBPF seccomp filters from inside a sandbox, and being able
to load eBPF from inside a sandbox is potentially undesirable.
prev parent reply other threads:[~2019-02-22 0:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-20 23:01 [PATCH bpf-next v2] bpf, seccomp: fix false positive preemption splat for cbpf->ebpf progs Daniel Borkmann
2019-02-20 23:59 ` Alexei Starovoitov
2019-02-21 4:02 ` Alexei Starovoitov
2019-02-21 5:31 ` Kees Cook
2019-02-21 8:53 ` Daniel Borkmann
2019-02-21 12:56 ` Jann Horn
2019-02-21 19:29 ` Alexei Starovoitov
2019-02-21 19:53 ` Kees Cook
2019-02-21 20:36 ` Alexei Starovoitov
2019-02-21 22:14 ` Kees Cook
2019-02-22 0:22 ` Andy Lutomirski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrXeVZqt-Cax9FryP96RRmaMXAe9ezRSz6XiKjdTdDhqdw@mail.gmail.com \
--to=luto@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).