Re: [PATCH 1/3] bpf/verifier: Log instruction patching when verbose logging is enabled

From: Ben Hutchings
Date: Thu Nov 29 2018 - 10:56:03 EST

On Fri, 2018-11-23 at 21:10 +0100, Daniel Borkmann wrote:
> On 11/23/2018 07:34 PM, Ben Hutchings wrote:
> > User-space does not have access to the patched eBPF code, but we
> > need to be able to test that patches are being applied.ÂÂTherefore
> > log distinct messages for each case that requires patching.
> Thanks for the patches, Ben! Above is actually not the case, e.g. privileged
> admin can use something like 'bpftool prog dump xlated id <id>' and then the
> BPF insns are dumped to user space for the program /after/ the verification,
> so the rewrites can then be seen.

Oh that's good.

> test_verifier temporarily drops caps to
> load and run the unprivileged cases, but we can extend the test suite to
> retrieve and check the final insns after that happened. I think this would be
> a nice extension to the test suite for cases like these and would also provide
> better insight than verbose() statement saying that something has been
> patched (but not the actual result of it).

Agreed; I'll look into doing this instead.


Ben Hutchings, Software Developer  Codethink Ltd Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom