[PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf
Lorenz Bauer
lmb at cloudflare.com
Wed Aug 7 09:03:57 UTC 2019
On Wed, 7 Aug 2019 at 06:24, Andy Lutomirski <luto at kernel.org> wrote:
> a) Those that, by design, control privileged operations. This
> includes most attach calls, but it also includes allow_ptr_leaks,
> bpf_probe_read(), and quite a few other things. It also includes all
> of the by_id calls, I think, unless some clever modification to the
> way they worked would isolate different users' objects. I think that
> persistent objects can do pretty much everything that by_id users
> would need, so this isn't a big deal.
Slightly OT, since this is an implementation question: GET_MAP_FD_BY_ID
is useful to iterate a nested map. This isn't covered by rights to
persistent objects,
so it would need some thought.
--
Lorenz Bauer | Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK
www.cloudflare.com
More information about the Linux-security-module-archive
mailing list