On Sunday, 11 July 2021 14:41:08 BST caveman رَجُلُ الْكَهْفِ 穴居人 wrote: > On Sunday, July 11th, 2021 at 13:11, Nils Freydank <nils.freyd...@posteo.de> wrote: > > Hi caveman, > > > > you should really train your search skills :-P > > lel. more like train my cognition.
I could do with a bit of the same! ;-) > > (1) Just searching for "libbpf" and then for "bpf BTF" gives plenty > > webpages and > > > > links. In short: > > > > BPF: Berkeley packet filter, e.g.: > > https://en.wikipedia.org/wiki/Berkeley_Packet_Filter > > > > libbpf: a library to use it, e.g.: https://github.com/libbpf/libbpf > > > > BPF Type Format (BTF) https://www.kernel.org/doc/html/v5.9/bpf/btf.html > > i did this before asking here, but didn't fully > get it. > > wiki seems to say that it's for speeding up packer > filtering by having apps supply a filtering > program into the kernel, so that the whole thing > is done inside the kernel for speed. Right, the old Berkeley Packet Filter (BPF) was meant to filter packets and used in networking and security functions. However, from what I have understood so far, the BPF instruction set and architecture was deemed flexible enough to be extended for other functions, acting as if it were a virtual-machine within the Linux kernel to allow bytecode to run at various hook points in a safe manner. So think of BPF as a framework to leverage kernel functionality by various programs, safely and fast. BPF is used e.g. to implement networking policies early, hooking deep into the NIC driver, without moving packets in-out of kernel-user space. > but i also read elsewhere that it's being used to > generally run any apps inside the kernel, > ultimately making linux to slowly become into some > kind of a micro-kernel design. didn't fully get > it. Hmm ... not sure about this. I don't think BPF allows you to run apps inside the kernel as such. It allows apps to utilise *programmable* functionality like XDP (eXpress Data Path) to access kernel data at an earlier state than would otherwise be accessible; e.g. close to bare metal packet processing, before such data reaches the network stack for conventional processing. This is convenient for applying network policies for containers at an earlier stage than would be the case without BPF infrastructure and constraining kernel data and memory access in a secure way. BPF may have expanded into micro-kernel design, I can see how the BPF functionality would be desirable for this purpose, but I'm not sure BPF would reduce the kernel size as such. TBH, this is not a field I have looked into to be able to add anything useful. > but either way, this feature sort of freaks me. > is it harming my security? how can i know which > app is running its code inside my kernel? > > also, which apps would benefit from this? and why > did i end up having it? e.g. any idea which app > brought this feature? > > or did gentoo generally go to ship BTF by default? > without any app needing it? You can enable/disable BPF in your kernel. BTF is used to manage types of ELF executable binaries, so as to utilise the BPF ABI. LLVM, Clang and others utilise BPF to generate object files which can be loaded and run in the kernel. This is meant to happen securely following verification of instructions to establish they are legitimate, so that kernel and hardware is not compromised by loose coding. Apps like iproute2, suricata, network accounting/monitoring apps, etc. make use of BPF. However, I'm no dev so I have no idea what the potential for BPF harming Linux security might be. Other more knowledgeable M/L contributors may chime in to explain better.
signature.asc
Description: This is a digitally signed message part.
