Re: [PATCH bpf-next] bpf, doc: Update bpf_jit_enable limitation for CONFIG_BPF_JIT_ALWAYS_ON
On 04/27/2018 11:49 AM, Leo Yan wrote: > On Fri, Apr 27, 2018 at 11:44:44AM +0200, Daniel Borkmann wrote: >> On 04/26/2018 04:26 AM, Leo Yan wrote: >>> When CONFIG_BPF_JIT_ALWAYS_ON is enabled, kernel has limitation for >>> bpf_jit_enable, so it has fixed value 1 and we cannot set it to 2 >>> for JIT opcode dumping; this patch is to update the doc for it. >>> >>> Signed-off-by: Leo Yan>>> --- >>> Documentation/networking/filter.txt | 6 ++ >>> 1 file changed, 6 insertions(+) >>> >>> diff --git a/Documentation/networking/filter.txt >>> b/Documentation/networking/filter.txt >>> index fd55c7d..feddab9 100644 >>> --- a/Documentation/networking/filter.txt >>> +++ b/Documentation/networking/filter.txt >>> @@ -483,6 +483,12 @@ Example output from dmesg: >>> [ 3389.935851] JIT code: 0030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff >>> ff 00 00 >>> [ 3389.935852] JIT code: 0040: eb 02 31 c0 c9 c3 >>> >>> +When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is set to 1 by >>> default >>> +and it returns failure if change to any other value from proc node; this is >>> +for security consideration to avoid leaking info to unprivileged users. In >>> this >>> +case, we can't directly dump JIT opcode image from kernel log, >>> alternatively we >>> +need to use bpf tool for the dumping. >>> + >> >> Could you change this doc text a bit, I think it's slightly misleading. From >> the first >> sentence one could also interpret that value 0 would leaking info to >> unprivileged users >> whereas here we're only talking about the case of value 2. Maybe something >> roughly like >> this to make it more clear: >> >> When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently >> set to 1 and >> setting any other value than that will return in failure. This is even the >> case for >> setting bpf_jit_enable to 2, since dumping the final JIT image into the >> kernel log >> is discouraged and introspection through bpftool (under >> tools/bpf/bpftool/) is the >> generally recommended approach instead. > > Yeah, your rephrasing is more clear and better. Will do this and send > new patch soon. Thanks for your helping. Awesome, thank you! -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH bpf-next] bpf, doc: Update bpf_jit_enable limitation for CONFIG_BPF_JIT_ALWAYS_ON
On Fri, Apr 27, 2018 at 11:44:44AM +0200, Daniel Borkmann wrote: > On 04/26/2018 04:26 AM, Leo Yan wrote: > > When CONFIG_BPF_JIT_ALWAYS_ON is enabled, kernel has limitation for > > bpf_jit_enable, so it has fixed value 1 and we cannot set it to 2 > > for JIT opcode dumping; this patch is to update the doc for it. > > > > Signed-off-by: Leo Yan> > --- > > Documentation/networking/filter.txt | 6 ++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/Documentation/networking/filter.txt > > b/Documentation/networking/filter.txt > > index fd55c7d..feddab9 100644 > > --- a/Documentation/networking/filter.txt > > +++ b/Documentation/networking/filter.txt > > @@ -483,6 +483,12 @@ Example output from dmesg: > > [ 3389.935851] JIT code: 0030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff > > ff 00 00 > > [ 3389.935852] JIT code: 0040: eb 02 31 c0 c9 c3 > > > > +When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is set to 1 by > > default > > +and it returns failure if change to any other value from proc node; this is > > +for security consideration to avoid leaking info to unprivileged users. In > > this > > +case, we can't directly dump JIT opcode image from kernel log, > > alternatively we > > +need to use bpf tool for the dumping. > > + > > Could you change this doc text a bit, I think it's slightly misleading. From > the first > sentence one could also interpret that value 0 would leaking info to > unprivileged users > whereas here we're only talking about the case of value 2. Maybe something > roughly like > this to make it more clear: > > When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently set > to 1 and > setting any other value than that will return in failure. This is even the > case for > setting bpf_jit_enable to 2, since dumping the final JIT image into the > kernel log > is discouraged and introspection through bpftool (under tools/bpf/bpftool/) > is the > generally recommended approach instead. Yeah, your rephrasing is more clear and better. Will do this and send new patch soon. Thanks for your helping. > Thanks, > Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH bpf-next] bpf, doc: Update bpf_jit_enable limitation for CONFIG_BPF_JIT_ALWAYS_ON
On 04/26/2018 04:26 AM, Leo Yan wrote: > When CONFIG_BPF_JIT_ALWAYS_ON is enabled, kernel has limitation for > bpf_jit_enable, so it has fixed value 1 and we cannot set it to 2 > for JIT opcode dumping; this patch is to update the doc for it. > > Signed-off-by: Leo Yan> --- > Documentation/networking/filter.txt | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/Documentation/networking/filter.txt > b/Documentation/networking/filter.txt > index fd55c7d..feddab9 100644 > --- a/Documentation/networking/filter.txt > +++ b/Documentation/networking/filter.txt > @@ -483,6 +483,12 @@ Example output from dmesg: > [ 3389.935851] JIT code: 0030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff ff > 00 00 > [ 3389.935852] JIT code: 0040: eb 02 31 c0 c9 c3 > > +When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is set to 1 by > default > +and it returns failure if change to any other value from proc node; this is > +for security consideration to avoid leaking info to unprivileged users. In > this > +case, we can't directly dump JIT opcode image from kernel log, alternatively > we > +need to use bpf tool for the dumping. > + Could you change this doc text a bit, I think it's slightly misleading. From the first sentence one could also interpret that value 0 would leaking info to unprivileged users whereas here we're only talking about the case of value 2. Maybe something roughly like this to make it more clear: When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is permanently set to 1 and setting any other value than that will return in failure. This is even the case for setting bpf_jit_enable to 2, since dumping the final JIT image into the kernel log is discouraged and introspection through bpftool (under tools/bpf/bpftool/) is the generally recommended approach instead. Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH bpf-next] bpf, doc: Update bpf_jit_enable limitation for CONFIG_BPF_JIT_ALWAYS_ON
When CONFIG_BPF_JIT_ALWAYS_ON is enabled, kernel has limitation for bpf_jit_enable, so it has fixed value 1 and we cannot set it to 2 for JIT opcode dumping; this patch is to update the doc for it. Signed-off-by: Leo Yan--- Documentation/networking/filter.txt | 6 ++ 1 file changed, 6 insertions(+) diff --git a/Documentation/networking/filter.txt b/Documentation/networking/filter.txt index fd55c7d..feddab9 100644 --- a/Documentation/networking/filter.txt +++ b/Documentation/networking/filter.txt @@ -483,6 +483,12 @@ Example output from dmesg: [ 3389.935851] JIT code: 0030: 00 e8 28 94 ff e0 83 f8 01 75 07 b8 ff ff 00 00 [ 3389.935852] JIT code: 0040: eb 02 31 c0 c9 c3 +When CONFIG_BPF_JIT_ALWAYS_ON is enabled, bpf_jit_enable is set to 1 by default +and it returns failure if change to any other value from proc node; this is +for security consideration to avoid leaking info to unprivileged users. In this +case, we can't directly dump JIT opcode image from kernel log, alternatively we +need to use bpf tool for the dumping. + In the kernel source tree under tools/bpf/, there's bpf_jit_disasm for generating disassembly out of the kernel log's hexdump: -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html