[Adding in correct address for Quentin, since his address has changed] On Sat, 18 Apr 2020 at 09:34, Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> wrote: > > [CC += Quentin] > > Hello Richard (and Quentin, Daniel, Alexei), > > On Fri, 17 Apr 2020 at 15:28, Richard Palethorpe <rpalethorpe@xxxxxxx> wrote: > > > > Hello Michael, > > > > Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> writes: > > > > > Hello Richard, > > > > > > On 7/29/19 2:58 PM, Richard Palethorpe wrote: > > >> This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN > > >> under some circumstances. > > > > > > Thanks. I have (at last) applied this patch. > > > > :-) > > > > > > > > In Linux 4.4, the allowed BPF helper functions that could > > > be called was, I think, governed by a check in sk_filter_func_proto(). > > > Nowadays (Linux 5.6), it is, I think, governed by the check in > > > sk_filter_func_proto(). If that is the case, then probably there > > > > It looks like bpf_base_func_proto() and sk_filter_func_proto(). Possibly > > also cg_skb_func_proto() because it seems normal users can also attach a > > cgroup skb filter program type (looking at bpf_prog_load() in syscall.c > > for 5.7). > > Thanks for the pointer to bpf_prog_load(). But, I must admit I'm > having trouble to follow the code. Can you say some more about how you > deduce the involvement of sk_filter_func_proto() and > cg_skb_func_proto()? > > > > are one or two more helper functions to be added to the list > > > (e.g., get_numa_node_id, map_push_elem, map_pop_elem). > > > Do you agree with my analysis? > > > > Yes, at least those. IMO this is such a fast moving target it might be > > best to direct users towards <linux/bpf.h>. > > Are you aware of bpf-helpers(7) [1], which is generated [2] from that > file? It seems like this would be the place to document which helpers > can be used by unprivileged processes. > > Quentin, Daniel, Alexei, do you have any thoughts here? > > Thanks, > > Michael > > [1] http://man7.org/linux/man-pages/man7/bpf-helpers.7.html > [2] https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=53666f6c30451cde022f65d35a8d448f5a7132ba > > > -- > Michael Kerrisk > Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ > Linux/UNIX System Programming Training: http://man7.org/training/ -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
