lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2022 13:48:51 +0200 From: Artem Savkov <asavkov@...hat.com> To: Jiri Olsa <olsajiri@...il.com> Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, bpf@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Andrea Arcangeli <aarcange@...hat.com> Subject: Re: [RFC PATCH bpf-next 2/4] bpf: add BPF_F_DESTRUCTIVE flag for BPF_PROG_LOAD On Mon, Jul 11, 2022 at 12:56:28PM +0200, Jiri Olsa wrote: > On Mon, Jul 11, 2022 at 10:32:18AM +0200, Artem Savkov wrote: > > Add a BPF_F_DESTRUCTIVE will be required to be supplied to > > BPF_PROG_LOAD for programs to utilize destructive helpers such as > > bpf_panic(). > > I'd think that having kernel.destructive_bpf_enabled sysctl knob enabled > would be enough to enable that helper from any program, not sure having > extra load flag adds more security I agree it doesn't add more security. The idea was to have a way for a developer to explicitly state he understand this will be dangerous. This flag can also translate well into something like a --destructive option for bpftrace without needing to keep a list of destructive helpers on their side. -- Artem
Powered by blists - more mailing lists