Re: [PATCH 1/3] bpf/verifier: Log instruction patching when verbose logging is enabled

From: Ben Hutchings
Date: Thu Nov 29 2018 - 10:56:03 EST

Next message: Artem Savkov: "[PATCH v2] x86/tools/relocs: fix big section header tables"
Previous message: Tejun Heo: "Re: [PATCH 11/13] blkcg: remove bio_disassociate_task()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2018-11-23 at 21:10 +0100, Daniel Borkmann wrote:
> On 11/23/2018 07:34 PM, Ben Hutchings wrote:
> > User-space does not have access to the patched eBPF code, but we
> > need to be able to test that patches are being applied.ÂÂTherefore
> > log distinct messages for each case that requires patching.
>
> Thanks for the patches, Ben! Above is actually not the case, e.g. privileged
> admin can use something like 'bpftool prog dump xlated id <id>' and then the
> BPF insns are dumped to user space for the program /after/ the verification,
> so the rewrites can then be seen.

Oh that's good.

> test_verifier temporarily drops caps to
> load and run the unprivileged cases, but we can extend the test suite to
> retrieve and check the final insns after that happened. I think this would be
> a nice extension to the test suite for cases like these and would also provide
> better insight than verbose() statement saying that something has been
> patched (but not the actual result of it).

Agreed; I'll look into doing this instead.

Ben.

--
Ben Hutchings, Software Developer Â Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom

Next message: Artem Savkov: "[PATCH v2] x86/tools/relocs: fix big section header tables"
Previous message: Tejun Heo: "Re: [PATCH 11/13] blkcg: remove bio_disassociate_task()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]