Relax kern_version constraints on bpf kprobes?

From: Sargun Dhillon
Date: Sun Jul 24 2016 - 00:02:02 EST

Next message: Evelin Farkas: "Re: Kredit Angebot"
Previous message: Nicholas Mc Guire: "[PATCH] spi: pic32: fixup wait_for_completion_timeout return handling"
Next in thread: Alexei Starovoitov: "Re: Relax kern_version constraints on bpf kprobes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so
attr.kern_version must be exactly equal to what the user is running at the
moment. This makes a lot of sense because kprobes can touch lots of
unstable bits of the kernel ABI.

Unfortunately, this makes it really difficult to ship binary bpf programs
for debugging, and most customers don't want to go through all the steps
of preparing for compilation and installation of bpf programs for their
specific kernel that was shipped by their vendor.

This is especially problematic when the probe is touching only stable ABIs
(syscalls), or alternatively is just logging performance events. I realize
that we can change this section pretty easily by reading the version at
load time and modifying it, but it's kind of a pain.

For programs that we know are safe, is there a mechanism by which we can
bypass this check, and tell the loader that we know what we're doing
since these programs are only accessible to CAP_SYS_ADMIN?

Next message: Evelin Farkas: "Re: Kredit Angebot"
Previous message: Nicholas Mc Guire: "[PATCH] spi: pic32: fixup wait_for_completion_timeout return handling"
Next in thread: Alexei Starovoitov: "Re: Relax kern_version constraints on bpf kprobes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]