lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 23 Jul 2014 12:30:24 -0700
From:	Alexei Starovoitov <>
To:	Kees Cook <>
Cc:	"David S. Miller" <>,
	Ingo Molnar <>,
	Linus Torvalds <>,
	Andy Lutomirski <>,
	Steven Rostedt <>,
	Daniel Borkmann <>,
	Chema Gonzalez <>,
	Eric Dumazet <>,
	Peter Zijlstra <>,
	Arnaldo Carvalho de Melo <>,
	Jiri Olsa <>,
	Thomas Gleixner <>,
	"H. Peter Anvin" <>,
	Andrew Morton <>,
	Linux API <>,
	Network Development <>,
	LKML <>
Subject: Re: [PATCH RFC v2 net-next 05/16] bpf: introduce syscall(BPF, ...)
 and BPF maps

On Wed, Jul 23, 2014 at 11:02 AM, Kees Cook <> wrote:
>> --- a/Documentation/networking/filter.txt
>> +++ b/Documentation/networking/filter.txt
>> +eBPF maps
>> +---------
>> +'maps' is a generic storage of different types for sharing data between kernel
>> +and userspace.
>> +
>> +The maps are accessed from user space via BPF syscall, which has commands:
>> +- create a map with given id, type and attributes
>> +  map_id = bpf_map_create(int map_id, map_type, struct nlattr *attr, int len)
>> +  returns positive map id or negative error
> Looks like these docs need updating for the fd-based approach instead
> of the map_id approach?

ohh, yes. updated it in srcs and in commit log, but forgot in docs.

>> +SYSCALL_DEFINE5(bpf, int, cmd, unsigned long, arg2, unsigned long, arg3,
>> +               unsigned long, arg4, unsigned long, arg5)
>> +{
>> +       if (!capable(CAP_SYS_ADMIN))
>> +               return -EPERM;
> It might be valuable to have a comment here describing why this is
> currently limited to CAP_SYS_ADMIN.

makes sense.
There are several reasons it should be limited to root initially:
- to phase changes in gradually
- verifier is not detecting pointer leaks yet
- full security audit wasn't performed
- tracing and network analytics are root only anyway
Currently eBPF is safe (non-crashing), since safety is relatively easy
to enforce by static analysis. For somebody with compiler background
it's natural to think about bounds, alignments, uninitialized access, etc.
So I'm confident that I didn't miss anything big in 'safety' aspect.
'Non-root security' is harder. I'll add pointer leak detection first
and will ask for more suggestions.

>> +       switch (cmd) {
>> +       case BPF_MAP_CREATE:
>> +               return map_create((enum bpf_map_type) arg2,
>> +                                 (struct nlattr __user *) arg3, (int) arg4);
> I'd recommend requiring arg5 == 0 here, just for future flexibility.

Though I expect all extensions to go through nlattr attributes,
it's indeed cleaner to enforce arg5==0 here and for all other cmds.
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists