From: Alexei Starovoitov <ast@xxxxxxxxxxxx> Date: Wed, 7 Oct 2015 22:23:20 -0700 > v1-v2: > - this set logically depends on cb patch > "bpf: fix cb access in socket filter programs": > http://patchwork.ozlabs.org/patch/527391/ > which is must have to allow unprivileged programs. > Thanks Daniel for finding that issue. > - refactored sysctl to be similar to 'modules_disabled' > - dropped bpf_trace_printk > - split tests into separate patch and added more tests > based on discussion > > v1 cover letter: > I think it is time to liberate eBPF from CAP_SYS_ADMIN. > As was discussed when eBPF was first introduced two years ago > the only piece missing in eBPF verifier is 'pointer leak detection' > to make it available to non-root users. > Patch 1 adds this pointer analysis. > The eBPF programs, obviously, need to see and operate on kernel addresses, > but with these extra checks they won't be able to pass these addresses > to user space. > Patch 2 adds accounting of kernel memory used by programs and maps. > It changes behavoir for existing root users, but I think it needs > to be done consistently for both root and non-root, since today > programs and maps are only limited by number of open FDs (RLIMIT_NOFILE). > Patch 2 accounts program's and map's kernel memory as RLIMIT_MEMLOCK. > > Unprivileged eBPF is only meaningful for 'socket filter'-like programs. > eBPF programs for tracing and TC classifiers/actions will stay root only. > > In parallel the bpf fuzzing effort is ongoing and so far > we've found only one verifier bug and that was already fixed. > The 'constant blinding' pass also being worked on. > It will obfuscate constant-like values that are part of eBPF ISA > to make jit spraying attacks even harder. Scary stuff, but I don't see any major problems, so series applied! -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
