From: Daniel Borkmann <daniel@iogearbox.net>
To: Christian Barcenas <christian@cbarcenas.com>,
Alexei Starovoitov <ast@kernel.org>,
netdev@vger.kernel.org
Cc: Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
bpf@vger.kernel.org
Subject: Re: [PATCH bpf] bpf: respect CAP_IPC_LOCK in RLIMIT_MEMLOCK check
Date: Mon, 16 Sep 2019 11:26:53 +0200 [thread overview]
Message-ID: <678ba696-4b20-5f06-7c4f-ec68a9229620@iogearbox.net> (raw)
In-Reply-To: <20190911181816.89874-1-christian@cbarcenas.com>
On 9/11/19 8:18 PM, Christian Barcenas wrote:
> A process can lock memory addresses into physical RAM explicitly
> (via mlock, mlockall, shmctl, etc.) or implicitly (via VFIO,
> perf ring-buffers, bpf maps, etc.), subject to RLIMIT_MEMLOCK limits.
>
> CAP_IPC_LOCK allows a process to exceed these limits, and throughout
> the kernel this capability is checked before allowing/denying an attempt
> to lock memory regions into RAM.
>
> Because bpf locks its programs and maps into RAM, it should respect
> CAP_IPC_LOCK. Previously, bpf would return EPERM when RLIMIT_MEMLOCK was
> exceeded by a privileged process, which is contrary to documented
> RLIMIT_MEMLOCK+CAP_IPC_LOCK behavior.
Do you have a link/pointer where this is /clearly/ documented?
Uapi header is not overly clear ...
include/uapi/linux/capability.h says:
/* Allow locking of shared memory segments */
/* Allow mlock and mlockall (which doesn't really have anything to do
with IPC) */
#define CAP_IPC_LOCK 14
[...]
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
#define CAP_SYS_RESOURCE 24
... but my best guess is you are referring to `man 2 mlock`:
Limits and permissions
In Linux 2.6.8 and earlier, a process must be privileged (CAP_IPC_LOCK)
in order to lock memory and the RLIMIT_MEMLOCK soft resource limit defines
a limit on how much memory the process may lock.
Since Linux 2.6.9, no limits are placed on the amount of memory that a
privileged process can lock and the RLIMIT_MEMLOCK soft resource limit
instead defines a limit on how much memory an unprivileged process may lock.
Thanks,
Daniel
next prev parent reply other threads:[~2019-09-16 9:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-11 18:18 [PATCH bpf] bpf: respect CAP_IPC_LOCK in RLIMIT_MEMLOCK check Christian Barcenas
2019-09-13 18:48 ` Yonghong Song
2019-09-16 9:26 ` Daniel Borkmann [this message]
2019-09-16 14:09 ` Christian Barcenas
2019-09-16 22:19 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=678ba696-4b20-5f06-7c4f-ec68a9229620@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=christian@cbarcenas.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).