Announcement

Collapse
No announcement yet.

Patches Updated For Hooking eBPF Programs Into The Linux Kernel Scheduler

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Patches Updated For Hooking eBPF Programs Into The Linux Kernel Scheduler

    Phoronix: Patches Updated For Hooking eBPF Programs Into The Linux Kernel Scheduler

    Published back in November were a set of patches for allowing (e)BPF to extend the Linux kernel's scheduler. That interesting work is continuing with Friday having brought a second revision to the patches...

    Patches Updated For Hooking eBPF Programs Into The Linux Kernel Scheduler - Phoronix
    https://www.phoronix.com/news/Linux-Scheduler-eBPF-v2-sched
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
    • Likes 1
  • #2
    eBPF is a really neat concept, and I really like the tools it allows.

    Have a look at the tools in https://github.com/iovisor/bpftrace .

    I'm writing a tool similar to Ananicy/Ananicy-cpp, but where it won't set the niceness for the child processes (children have their parent processes niceness).

    This is made super easy with eBPF, using `sched_process_fork` and `sched_process_exec` trace events to monitor processes.​
    • Likes 2

    Comment

    • #3
      Originally posted by joshx1 View Post
      eBPF is a really neat concept, and I really like the tools it allows.

      Have a look at the tools in https://github.com/iovisor/bpftrace .

      I'm writing a tool similar to Ananicy/Ananicy-cpp, but where it won't set the niceness for the child processes (children have their parent processes niceness).

      This is made super easy with eBPF, using `sched_process_fork` and `sched_process_exec` trace events to monitor processes.​
      Yeah it's great. But with great (kernel!) power comes great responsibility. Malware can use eBPF just as easily - and is increasingly doing so. Root access is optional (for malware thanks to privilege escalation attacks or even admins configuring eBPF to allow arbitrary users to place eBPF programs for execution!!).

      Instead have a look at what eBPF can do - and by extension anyone using eBPF (good or bad) and then decide if you really want to open that can of worms. My bet is that most people shouldn't even if you think you want to.

      eBPF: A new frontier for malware - Red Canary
      https://redcanary.com/blog/ebpf-malware/
      Extended Berkeley Packet Filter (eBPF) is beginning to transform the Linux malware landscape. Here's what defenders should look out for.


      (In short, if your use case doesn't require eBPF, you shouldn't use it. It's not a performance silver bullet.)
      Last edited by stormcrow; 28 January 2023, 02:07 PM.
      • Likes 1

      Comment

      • #4
        Originally posted by stormcrow View Post
        Yeah it's great. But with great (kernel!) power comes great responsibility. Malware can use eBPF just as easily - and is increasingly doing so. Root access is optional (for malware thanks to privilege escalation attacks or even admins configuring eBPF to allow arbitrary users to place eBPF programs for execution!!).
        If you have privilege escalation, eBPF is the least of your worries, since the malware can simply inject and load kernel modules at that point.

        I agree that eBPF should be absolutely controlled, which makes it perfectly safe (at least, compared to having no eBPF at all). It's not more dangerous when it comes to privilege escalation, that's just paranoia.
        • Likes 4

        Comment

        • #5
          Originally posted by joshx1 View Post
          eBPF is a really neat concept, and I really like the tools it allows.

          Have a look at the tools in https://github.com/iovisor/bpftrace .

          I'm writing a tool similar to Ananicy/Ananicy-cpp, but where it won't set the niceness for the child processes (children have their parent processes niceness).

          This is made super easy with eBPF, using `sched_process_fork` and `sched_process_exec` trace events to monitor processes.​
          Oh, that's interesting! I'm the original author of ananicy-cpp, and I'd loved to use eBPF in such a way!
          It would probably be much more performant too!
          • Likes 1

          Comment

          • #6
            Originally posted by joshx1 View Post
            I'm writing a tool similar to Ananicy/Ananicy-cpp, but where it won't set the niceness for the child processes (children have their parent processes niceness).

            This is made super easy with eBPF, using `sched_process_fork` and `sched_process_exec` trace events to monitor processes.​
            Any link to your version that uses eBPF?

            Comment

            Previous template Next
            Working...
            X