On Fri, Apr 27, 2018 at 11:44:44AM +0200, Daniel Borkmann wrote: > On 04/26/2018 04:26 AM, Leo Yan wrote: > > When CONFIG_BPF_JIT_ALWAYS_ON is enabled, kernel has limitation for > > bpf_jit_enable, so it has fixed value 1 and we cannot set it to 2 > > for JIT opcode dumping; this patch is to update the doc for it. > > > > Signed-off-by: Leo Yan <leo.yan@xxxxxxxxxx> > > --- > > Documentation/networking/filter.txt | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/Documentation/networking/filter.txt b/Documentation/networking/filter.txt > > index fd55c7d..feddab9 100644 > > --- a/Documentation/networking/filter.txt > > +++ b/Documentation/networking/filter.txt > > @@ -483,6 +483,12 @@ Example output from dmesg: > > [ 3389.935851] JIT code: 00000030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff ff 00 00 > > [ 3389.935852] JIT code: 00000040: eb 02 31 c0 c9 c3 > > > > +When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is set to 1 by default > > +and it returns failure if change to any other value from proc node; this is > > +for security consideration to avoid leaking info to unprivileged users. In this > > +case, we can't directly dump JIT opcode image from kernel log, alternatively we > > +need to use bpf tool for the dumping. > > + > > Could you change this doc text a bit, I think it's slightly misleading. From the first > sentence one could also interpret that value 0 would leaking info to unprivileged users > whereas here we're only talking about the case of value 2. Maybe something roughly like > this to make it more clear: > > When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently set to 1 and > setting any other value than that will return in failure. This is even the case for > setting bpf_jit_enable to 2, since dumping the final JIT image into the kernel log > is discouraged and introspection through bpftool (under tools/bpf/bpftool/) is the > generally recommended approach instead. Yeah, your rephrasing is more clear and better. Will do this and send new patch soon. Thanks for your helping. > Thanks, > Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
