From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B1F9C433FF for ; Mon, 5 Aug 2019 22:21:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0876A214C6 for ; Mon, 5 Aug 2019 22:21:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com header.i=@amacapital-net.20150623.gappssmtp.com header.b="toZ/NbEo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730707AbfHEWVM (ORCPT ); Mon, 5 Aug 2019 18:21:12 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:45173 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730036AbfHEWVM (ORCPT ); Mon, 5 Aug 2019 18:21:12 -0400 Received: by mail-pf1-f193.google.com with SMTP id r1so40327755pfq.12 for ; Mon, 05 Aug 2019 15:21:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DgO0e9JRzibIoNYSWRSXWyzZahaXJGjw7Iz1fsfdaDE=; b=toZ/NbEoCsXgyHKpgcgPPucnQ3QZ4DxPGIibnYTVX1gUyX+AR9JQr1RXjtWj/K+QNG 7+CslOMA7Y54u5/RLjGxFEQqjn4BLtYI8XOKispxxbR6zmdsccuex9ZPbYQpppyALE6G dJtxX4XbtugsAmYjsFRZ2vh9rwiut105mVGPtVPXr+1if9L9WLG+D9ikusj/Gd5FGa/J ZIZxwWmzmnjGdQ+fQg5GOQWkFwLzQp2CxW3w5eTcb9Qi36lXYRt8kKhI/0iRAmkpjVYp DpTKwfECH0URtJgwWgbJb+NBLh1DiA5pQLn6dmX95Qr4YwA39YzbPrQMwaW4RFYpRuA6 mt8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DgO0e9JRzibIoNYSWRSXWyzZahaXJGjw7Iz1fsfdaDE=; b=NIumci2LRRtq46BTUBB4AF2tGmJb5cC+D290yEDgcxDNXIMRxY4jgV6JeIok+HKpPB V8M0Yphz9lRwYxRLj9/btwPpZ4CfZYCQsbXt9xxbpwfDS7V5ZSKFtkvk1xDYYQqAwQRq SaM09wwvaIyG3CTrwEiPgEpw0zu4+MZ5Ifm8qqyMCwu7xdVZAsVyAlwhv9ZBTvyQChws qbHgnY65fCpB6J8lxklh+Hfhh4epXJCr0NRhKuVpxqGwKx527yYhKur2ZKT56Iqqcpay jrR3uvKTTZpDT8icIoqZxqAMap80fS0rp69IwHh1pxlbhlM5Fz+5VT63x7DAB/onz2Xg ozmA== X-Gm-Message-State: APjAAAW0MeXX8dJRSvFFbdmndPNxMzW9vVWGafy9BzVJ+T55bDlDR6fl OclEsz72L/eP0Vf781ZuYbywBA== X-Google-Smtp-Source: APXvYqzbmMrdZBju6JbMmh55mWuN9xDZYf+p8zFgCd55Wgap+s9h3KTBZpDAFFfCOKp6xTbJKa9lLw== X-Received: by 2002:a63:d555:: with SMTP id v21mr103300pgi.179.1565043671712; Mon, 05 Aug 2019 15:21:11 -0700 (PDT) Received: from ?IPv6:2600:1010:b00d:2934:dc05:ecca:6e98:38d? ([2600:1010:b00d:2934:dc05:ecca:6e98:38d]) by smtp.gmail.com with ESMTPSA id k64sm64173738pge.65.2019.08.05.15.21.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Aug 2019 15:21:10 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf From: Andy Lutomirski X-Mailer: iPhone Mail (16G77) In-Reply-To: Date: Mon, 5 Aug 2019 15:21:09 -0700 Cc: Alexei Starovoitov , Song Liu , Kees Cook , Networking , bpf , Alexei Starovoitov , Daniel Borkmann , Kernel Team , Lorenz Bauer , Jann Horn , Greg KH , Linux API , LSM List Content-Transfer-Encoding: quoted-printable Message-Id: References: <369476A8-4CE1-43DA-9239-06437C0384C7@fb.com> <5A2FCD7E-7F54-41E5-BFAE-BB9494E74F2D@fb.com> <20190805192122.laxcaz75k4vxdspn@ast-mbp> To: Andy Lutomirski Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org > On Aug 5, 2019, at 2:25 PM, Andy Lutomirski wrote: >=20 > On Mon, Aug 5, 2019 at 12:21 PM Alexei Starovoitov > wrote: >=20 >> What we need is to drop privileges sooner in daemons like systemd. >=20 > This is doable right now: systemd could fork off a subprocess and > delegate its cgroup operations to it. It would be maybe a couple > hundred lines of code. As an added benefit, that subprocess could > verify that the bpf operations in question are reasonable. > Alternatively, if there was a CAP_BPF_ADMIN, systemd could retain that > capability and flip it on and off as needed. I tried to look at the code and I couldn=E2=80=99t find it. Does systemd dro= p privileges at all? Can you point me at the code you=E2=80=99re thinking o= f