Disregard this email. Re-sending in plain-text mode to prevent rejection by netdev list.
On Fri, Aug 25, 2017 at 10:56 AM Jeffrey Vander Stoep <[email protected]> wrote: > I’d like to get your thoughts on adding LSM permission checks on BPF > objects. > > By default, the ability to create and use eBPF maps/programs requires > CAP_SYS_ADMIN [1]. Alternatively, all processes can be granted access to > bpf() functions. This seems like poor granularity. [2] > > Like files and sockets, eBPF maps and programs can be passed between > processes by FD and have a number of functions that map cleanly to > permissions. > > Let me know what you think. Are there simpler alternative approaches that > we haven’t considered? > > Thanks! > Jeff > > [1] http://man7.org/linux/man-pages/man2/bpf.2.html NOTES section > [2] We are considering eBPF for network filtering by netd. Giving netd > CAP_SYS_ADMIN would considerably increase netd’s privileges. Alternatively > allowing all processes permission to use bpf() goes against the principle > of least privilege exposing a lot of kernel attack surface to processes > that do not actually need it. >
