Re: [PATCH] bpf.2: Change note on unprivileged access - Michael Kerrisk (man-pages)

From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: rpalethorpe@suse.de
Cc: Richard Palethorpe <rpalethorpe@suse.com>,
	linux-man <linux-man@vger.kernel.org>,
	David Miller <davem@davemloft.net>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Quentin Monnet <quentin.monnet@netronome.com>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>
Subject: Re: [PATCH] bpf.2: Change note on unprivileged access
Date: Sat, 18 Apr 2020 09:34:05 +0200	[thread overview]
Message-ID: <CAKgNAkidUjC2=XzRVqfsjrtZQA8gN36onSFX=jJMr2DjM-CvYQ@mail.gmail.com> (raw)
In-Reply-To: <87h7xii6n3.fsf@our.domain.is.not.set>

[CC += Quentin]

Hello Richard (and Quentin, Daniel, Alexei),

On Fri, 17 Apr 2020 at 15:28, Richard Palethorpe <rpalethorpe@suse.de> wrote:
>
> Hello Michael,
>
> Michael Kerrisk (man-pages) <mtk.manpages@gmail.com> writes:
>
> > Hello Richard,
> >
> > On 7/29/19 2:58 PM, Richard Palethorpe wrote:
> >> This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN
> >> under some circumstances.
> >
> > Thanks. I have (at last) applied this patch.
>
> :-)
>
> >
> > In Linux 4.4, the allowed BPF helper functions that could
> > be called was, I think, governed by a check in sk_filter_func_proto().
> > Nowadays (Linux 5.6), it is, I think, governed by the check in
> > sk_filter_func_proto(). If that is the case, then probably there
>
> It looks like bpf_base_func_proto() and sk_filter_func_proto(). Possibly
> also cg_skb_func_proto() because it seems normal users can also attach a
> cgroup skb filter program type (looking at bpf_prog_load() in syscall.c
> for 5.7).

Thanks for the pointer to bpf_prog_load(). But, I must admit I'm
having trouble to follow the code. Can you say some more about how you
deduce the involvement of sk_filter_func_proto() and
cg_skb_func_proto()?

> > are one or two more helper functions to be added to the list
> > (e.g., get_numa_node_id, map_push_elem, map_pop_elem).
> > Do you agree with my analysis?
>
> Yes, at least those. IMO this is such a fast moving target it might be
> best to direct users towards <linux/bpf.h>.

Are you aware of bpf-helpers(7) [1], which is generated [2] from that
file? It seems like this would be the place to document which helpers
can be used by unprivileged processes.

Quentin, Daniel, Alexei, do you have any thoughts here?

Thanks,

Michael

[1] http://man7.org/linux/man-pages/man7/bpf-helpers.7.html
[2] https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=53666f6c30451cde022f65d35a8d448f5a7132ba

--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/