On 12/18/19, 23:19, "Y Song" <ys114321@xxxxxxxxx> wrote:
> Added cc to bpf@xxxxxxxxxxxxxxx.
Thank you, I will remember to do this next time.
> Have you tried your patch with some bpf programs? verifier and jit put some
> restrictions on unpriv programs. To truely test the program, most if not all these
> restrictions should be lifted, so the same tested program should be able to
> run on production server and vice verse.
Agreed, I am aware of some of these differences in the load/verifier behavior with and without
CAP_SYS_ADMIN. In particular, without CAP_SYS_ADMIN programs are still restricted to 4k, some helpers are not available (spin locks, trace printk) and there are some differences in context access checks.
I think these can be addressed incrementally, assuming folk are on board with this approach in general?
Regards,
Edwin Peer
