On Wed, Dec 16, 2020 at 7:33 AM Lorenz Bauer <lmb@xxxxxxxxxxxxxx> wrote:
>
> On Wed, 16 Dec 2020 at 14:56, Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
> >
> > > What were the reasons for changing the mode to 0700? Would it be
> > > reasonable to mount /sys/fs/bpf with 1777 nowadays?
> >
> > If you don't specify anything particular a3af5f800106 ("bpf: allow for
> > mount options to specify permissions") the sb is created with S_IRWXUGO.
>
> Makes sense, thanks for the context. I checked iproute2, that mounts
> /sys/fs/bpf with 0700 if it doesn't exist.
>
> > It's probably caution on systemd side (?), currently don't recall any
> > particular discussion on this matter.
>
> Alexei then maybe?
I don't recall, but I suggest to always use your own mount.
All bpffs instances are independent. That's the way to keep them
isolated. We've seen issues in the past where common /sys/fs/bpf
location was causing unpleasant collisions between different projects.
Now folks have learned to treat /sys/fs/bpf more carefully and don't touch
stuff that they didn't put in there, but it's still fragile until cap_bpf and
different user ids are universally adopted.
