BPF based tools, such as bcc and bpftrace, are very helpful for debugging various issues. However, most BPF capabilities require CAP_SYS_ADMIN, CAP_BPF, CAP_NET_ADMIN, and/or CAP_PERF, which creates security concerns in container environments. In this LSF/MM/BPF, I would like to discuss different options to enable debugging with BPF in a container, while maintaining security. To kick off the brainstorming, here are some random ideas on the top of my head: 1. Control what data is accessible to each user. This is clearly tricky for kernel data structures shared by different users. 2. Control the trigger of BPF programs, iow, one user's BPF program could not trigger on other user's tasks. However, this won't work well with interrupts and special kernel functions/tracepoints, such as context switches. 3. Limit which BPF programs are accessible to non-root users. There are multiple ways to do this. The sys admin could pin some BPF programs and share them with users in the container (via a bind mount of bpffs). This is relatively safe, but not flexible enough for debugging uses. On the other side of the safe-flexible spectrum, the sys admin could use setcap on bpftrace, bcc-py, or some customized tools, but this is not ideal either. 4. perf subsystem enables monitoring for non-root users with per-task perf events that move with a specific task. We don't have such a concept in BPF, but similar ideas may work well in some scenarios. 5. Some combination of different mechanisms. Thanks, Song
