| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5617FD1C.2030702@iogearbox.net> Date: Fri, 09 Oct 2015 19:45:00 +0200 From: Daniel Borkmann <daniel@...earbox.net> To: Alexei Starovoitov <ast@...mgrid.com>, Hannes Frederic Sowa <hannes@...essinduktion.org>, "David S. Miller" <davem@...emloft.net> CC: Andy Lutomirski <luto@...capital.net>, Ingo Molnar <mingo@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Kees Cook <keescook@...omium.org>, linux-api@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 net-next 1/3] bpf: enable non-root eBPF programs On 10/09/2015 07:30 PM, Alexei Starovoitov wrote: ... > Openstack use case is different. There it will be prog_type_sched_cls > that can mangle packets, change skb metadata, etc under TC framework. > These are not suitable for all users and this patch leaves > them root-only. If you're proposing to add CAP_BPF_TC to let containers > use them without being CAP_SYS_ADMIN, then I agree, it is useful, but > needs a lot more safety analysis on tc side. Well, I think if so, then this would need to be something generic for tc instead of being specific to a single (out of various) entities inside the tc framework, but I currently doubt that this makes much sense. If we allow to operate already at that level, then restricting to CAP_SYS_ADMIN makes more sense in that specific context/subsys to me. Best, Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists