Re: [RFC PATCH bpf-next 00/13] bpf: Introduce BPF namespace
From: Yafang Shao
Date: Mon Mar 27 2023 - 23:49:25 EST
On Tue, Mar 28, 2023 at 3:04 AM Song Liu <song@xxxxxxxxxx> wrote:
>
> On Sun, Mar 26, 2023 at 2:22 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote:
> >
> > Currently only CAP_SYS_ADMIN can iterate BPF object IDs and convert IDs
> > to FDs, that's intended for BPF's security model[1]. Not only does it
> > prevent non-privilidged users from getting other users' bpf program, but
> > also it prevents the user from iterating his own bpf objects.
> >
> > In container environment, some users want to run bpf programs in their
> > containers. These users can run their bpf programs under CAP_BPF and
> > some other specific CAPs, but they can't inspect their bpf programs in a
> > generic way. For example, the bpftool can't be used as it requires
> > CAP_SYS_ADMIN. That is very inconvenient.
>
> Agreed that it is important to enable tools like bpftool without
> CAP_SYS_ADMIN. However, I am not sure whether we need a new
> namespace for this. Can we reuse some existing namespace for this?
>
It seems we can't.
> If we do need a new namespace, maybe we should share some effort
> with tracer namespace proposal [1]?
>
Thanks for your information. I will learn the tracer namespace first
and try to analyze how to cooperate with it.
> Thanks,
> Song
>
> [1] https://lpc.events/event/16/contributions/1237/
--
Regards
Yafang