Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs

From: Ingo Molnar
Date: Thu Oct 08 2015 - 02:22:05 EST

Next message: Miroslav Lichvar: "Re: [PATCH] timekeeping: Limit system time to prevent 32-bit time_t overflow"
Previous message: Scott Feldman: "Re: [PATCH net-next 6/6] net: dsa: use switchdev obj in port_fdb_del"
Next in thread: Alexei Starovoitov: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Alexei Starovoitov <ast@xxxxxxxxxxxx> wrote:

> As far as sysctl we can look at two with similar purpose:
> sysctl_perf_event_paranoid and modules_disabled.
> First one is indeed multi level, but not because of the fear of bugs,
> but because of real security implications.

It serves both purposes flexibly, and note that most people and distros will use
the default value.

> [...] Like raw events on hyperthreaded cpu or uncore events can extract data
> from other user processes. So it controls these extra privileges.

It also controls the generally increased risk caused by a larger attack surface,
which some users may not want to carry and which they can thus shrink.

With a static keys approach there would be no runtime overhead worth speaking of,
so I see no reason why unprivileged eBPF couldn't have a sysctl too - with the
default value set to permissive.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Miroslav Lichvar: "Re: [PATCH] timekeeping: Limit system time to prevent 32-bit time_t overflow"
Previous message: Scott Feldman: "Re: [PATCH net-next 6/6] net: dsa: use switchdev obj in port_fdb_del"
Next in thread: Alexei Starovoitov: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]