| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1543506955.2867.10.camel@codethink.co.uk>
Date: Thu, 29 Nov 2018 15:55:55 +0000
From: Ben Hutchings <ben.hutchings@...ethink.co.uk>
To: Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] bpf/verifier: Log instruction patching when verbose
logging is enabled
On Fri, 2018-11-23 at 21:10 +0100, Daniel Borkmann wrote:
> On 11/23/2018 07:34 PM, Ben Hutchings wrote:
> > User-space does not have access to the patched eBPF code, but we
> > need to be able to test that patches are being applied. Therefore
> > log distinct messages for each case that requires patching.
>
> Thanks for the patches, Ben! Above is actually not the case, e.g. privileged
> admin can use something like 'bpftool prog dump xlated id <id>' and then the
> BPF insns are dumped to user space for the program /after/ the verification,
> so the rewrites can then be seen.
Oh that's good.
> test_verifier temporarily drops caps to
> load and run the unprivileged cases, but we can extend the test suite to
> retrieve and check the final insns after that happened. I think this would be
> a nice extension to the test suite for cases like these and would also provide
> better insight than verbose() statement saying that something has been
> patched (but not the actual result of it).
Agreed; I'll look into doing this instead.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
Powered by blists - more mailing lists