lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Jul 2016 21:36:33 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Sargun Dhillon <sargun@...gun.me> Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: Relax kern_version constraints on bpf kprobes? On Sat, Jul 23, 2016 at 09:01:39PM -0700, Sargun Dhillon wrote: > In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so > attr.kern_version must be exactly equal to what the user is running at the > moment. This makes a lot of sense because kprobes can touch lots of > unstable bits of the kernel ABI. > > Unfortunately, this makes it really difficult to ship binary bpf programs > for debugging, and most customers don't want to go through all the steps > of preparing for compilation and installation of bpf programs for their > specific kernel that was shipped by their vendor. > > This is especially problematic when the probe is touching only stable ABIs > (syscalls), or alternatively is just logging performance events. I realize > that we can change this section pretty easily by reading the version at > load time and modifying it, but it's kind of a pain. > > For programs that we know are safe, is there a mechanism by which we can > bypass this check, and tell the loader that we know what we're doing > since these programs are only accessible to CAP_SYS_ADMIN? The proper alternative is to always compile programs on the fly for the given kernel like iovisor/bcc does. Integrated clang/llvm has other advantages, like being able to search/replace in bpf C program before installing it in the kernel. So different command line flags come with zero overhead when not in use.
Powered by blists - more mailing lists