Disregard this email. Re-sending in plain-text mode to prevent rejection by netdev list.
On Fri, Aug 25, 2017 at 10:56 AM Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote:
I’d like to get your thoughts on adding LSM permission checks on BPF objects.By default, the ability to create and use eBPF maps/programs requires CAP_SYS_ADMIN [1]. Alternatively, all processes can be granted access to bpf() functions. This seems like poor granularity. [2]Like files and sockets, eBPF maps and programs can be passed between processes by FD and have a number of functions that map cleanly to permissions.Let me know what you think. Are there simpler alternative approaches that we haven’t considered?Thanks!Jeff[1] http://man7.org/linux/man-pages/man2/bpf.2.html NOTES section[2] We are considering eBPF for network filtering by netd. Giving netd CAP_SYS_ADMIN would considerably increase netd’s privileges. Alternatively allowing all processes permission to use bpf() goes against the principle of least privilege exposing a lot of kernel attack surface to processes that do not actually need it.
