On Tue, Aug 27, 2019 at 9:49 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Tue, Aug 27, 2019 at 07:00:40PM -0700, Andy Lutomirski wrote: > > > > Let me put this a bit differently. Part of the point is that > > CAP_TRACING should allow a user or program to trace without being able > > to corrupt the system. CAP_BPF as you’ve proposed it *can* likely > > crash the system. > > Really? I'm still waiting for your example where bpf+kprobe crashes the system... > That's not what I meant. bpf+kprobe causing a crash is a bug. I'm referring to a totally different issue. On my laptop: $ sudo bpftool map 48: hash name foobar flags 0x0 key 8B value 8B max_entries 64 memlock 8192B 181: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B 182: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B 183: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B 184: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B 185: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B 186: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B 187: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B 188: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B $ sudo bpftool map dump id 186 key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 value: 02 00 00 00 00 00 00 00 Found 1 element $ sudo bpftool map delete id 186 key hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [this worked] I don't know what my laptop was doing with map id 186 in particular, but, whatever it was, I definitely broke it. If a BPF firewall is in use on something important enough, this could easily remove connectivity from part or all of the system. Right now, this needs CAP_SYS_ADMIN. With your patch, CAP_BPF is sufficient to do this, but you *also* need CAP_BPF to trace the system using BPF. Tracing with BPF is 'safe' in the absence of bugs. Modifying other peoples' maps is not. One possible answer to this would be to limit CAP_BPF to the subset of BPF that is totaly safe in the absence of bugs (e.g. loading most program types if they don't have dangerous BPF_CALL instructions but not *_BY_ID). Another answer would be to say that CAP_BPF will not be needed by future unprivileged bpf mechanisms, and that CAP_TRACING plus unprivileged bpf will be enough to do most or all interesting BPF tracing operations. If the answer is the latter, then maybe it would make sense to try to implement some of the unprivileged bpf stuff and then to see whether CAP_BPF is still needed.