Hi Andy,
>>>>
>>>
>>> Well, yes. sys_bpf() is pretty powerful.
>>>
>>> The goal of /dev/bpf is to enable special users to call sys_bpf(). In
>>> the meanwhile, such users should not take down the whole system easily
>>> by accident, e.g., with rm -rf /.
>>
>> That’s easy, though — bpftool could learn to read /etc/bpfusers before
>> allowing ruid != 0.
>
> This is a great idea! fscaps + /etc/bpfusers should do the trick.
After some discussions and more thinking on this, I have some concerns
with the user space only approach.
IIUC, your proposal for user space only approach is like:
1. bpftool (and other tools) check /etc/bpfusers and only do
setuid for allowed users:
int main()
{
if (/* uid in /etc/bpfusers */)
setuid(0);
sys_bpf(...);
}
2. bpftool (and other tools) is installed with CAP_SETUID:
setcap cap_setuid=e+p /bin/bpftool
3. sys admin maintains proper /etc/bpfusers.
This approach is not ideal, because we need to trust the tool to give
it CAP_SETUID. A hacked tool could easily bypass /etc/bpfusers check
or use other root only sys calls after setuid(0).
Does this make sense? (Or did I misunderstand anything?)
Thanks,
Song
