lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <588A35F8.6050909@fb.com>
Date:   Thu, 26 Jan 2017 09:46:32 -0800
From:   Alexei Starovoitov <ast@...com>
To:     Andy Lutomirski <luto@...capital.net>,
        Linus Torvalds <torvalds@...ux-foundation.org>
CC:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        "David S . Miller" <davem@...emloft.net>,
        Daniel Borkmann <daniel@...earbox.net>,
        David Ahern <dsa@...ulusnetworks.com>,
        Tejun Heo <tj@...nel.org>, Thomas Graf <tgraf@...g.ch>,
        Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH net] bpf: expose netns inode to bpf programs

On 1/26/17 8:37 AM, Andy Lutomirski wrote:
>> Think of bpf programs as safe kernel modules. They don't have
>> confined boundaries and program authors, if not careful, can shoot
>> themselves in the foot. We're not trying to prevent that because
>> it's impossible to check that the program is sane. Just like
>> it's impossible to check that kernel module is sane.
>> But in case of bpf we check that bpf program is _safe_ from the kernel
>> point of view. If it's doing some garbage, it's program's business.
>> Does it make more sense now?
>>
>
> With all due respect, I think this is not an acceptable way to think
> about BPF at all.  If you think of BPF this way, I think there needs
> to be a real discussion at KS or similar as to whether this is okay.
> The reason is simple: the kernel promises a stable ABI to userspace
> but not to kernel modules.  By thinking of BPF as more like a module,
> you're taking a big shortcut that will either result in ABI breakage
> down the road or in committing to a problematic stable ABI.

you misunderstood the analogy.
bpf abi is certainly stable. that's why we were careful of not
exposing anything to it that is not already stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ