Re: [PATCH v6 net-next 1/6] net: filter: add "load 64-bit immediate" eBPF instruction
From: David Miller
Date: Mon Aug 25 2014 - 21:06:28 EST
From: Alexei Starovoitov <ast@xxxxxxxxxxxx>
Date: Mon, 25 Aug 2014 18:00:53 -0700
> add BPF_LD_IMM64 instruction to load 64-bit immediate value into a register.
I think you need to rethink this.
I understand that you want to be able to compile arbitrary C code into
eBPF, but you have to restrict strongly what data the eBPF code can get
Arbitrary pointer loads is asking for trouble.
Instead I would rather you look into a model like what the quake
engine uses for it's VM.
Namely, the program can do loads and stores from/to a data section,
but all of them are validated to be in the range of the VM program's
eBPF programs should only be able to access things using either:
1) Well defined entry/exit points for control transfer
2) Load/Store within a private limited data segment range used
only by the eBPF program
I don't want the eBPF program to be able to get "out of it's box"
in any way shape or form.
And besides, you're only making this thing as an optimization right?
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/