On Wed, 16 Dec 2020 at 14:56, Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
> > What were the reasons for changing the mode to 0700? Would it be
> > reasonable to mount /sys/fs/bpf with 1777 nowadays?
>
> If you don't specify anything particular a3af5f800106 ("bpf: allow for
> mount options to specify permissions") the sb is created with S_IRWXUGO.
Makes sense, thanks for the context. I checked iproute2, that mounts
/sys/fs/bpf with 0700 if it doesn't exist.
> It's probably caution on systemd side (?), currently don't recall any
> particular discussion on this matter.
Alexei then maybe?
> Either way, you can mount your own private instance of bpf fs instance
> anyway which supports anyway different mount flavors if needed [0]. So
> it's no different from tmp fs or others - apart from explicitly not
> having userns support.
Yeah, that's what we're doing at the moment. It's just another step
that is easy to forget, and makes some operational stuff more
complicated. So I wonder if there is a downside to just changing our
/sys/fs/bpf to 1777.
Lorenz
--
Lorenz Bauer | Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK
www.cloudflare.com
