Originally posted by Alex/AT
View Post
Announcement
Collapse
No announcement yet.
Microsoft & Others Form The eBPF Foundation
Collapse
X
-
Originally posted by Jakobson View PostAt runtime via procfs if not set on by default:
https://elixir.bootlin.com/linux/lat...pf/Kconfig#L38
There are few JIT options and one 'disable unprivileged BPF' option. Yes, I assume it can theoretically be okay with the second, but it still leaves some loopholes. For now rebuilding distro kernels becomes the only option to get rid of it on any critical and semi-critical instances, and this is ultimately bad.Last edited by Alex/AT; 15 August 2021, 10:40 AM.
- Likes 1
Comment
-
Originally posted by andyprough View PostTen years from now when security researchers find all the security holes, there are going to be some painful mitigations for dealing with this.Last edited by ryao; 17 August 2021, 04:20 PM.
Comment
-
Originally posted by Alex/AT View Post
I don't see anything like 'disable bpf' under /proc there, do you?
There are few JIT options and one 'disable unprivileged BPF' option. Yes, I assume it can theoretically be okay with the second, but it still leaves some loopholes. For now rebuilding distro kernels becomes the only option to get rid of it on any critical and semi-critical instances, and this is ultimately bad.Last edited by ryao; 17 August 2021, 04:19 PM.
Comment
-
Originally posted by ryao View PostIt is a feature meant for debugging.
Originally posted by ryao View PostYou can build the kernel without the syscall.
Comment
-
Originally posted by Alex/AT View PostIsn't it logical feature meant for debugging has nothing to do with the general network stack (except debugging), and should be enabled in debug kernel builds only.
Without debug symbols, its ability to be used is limited, but most distributions have kernel symbol packages. They build the kernels as “debug” kernels and strip the symbols into debug symbol packages to produce the binaries that they distribute. Disabling it at the build system level would not make sense for the people who install kernel debug symbols.
Originally posted by Alex/AT View PostThis doesn't stand as anything by me but deliberately introduced injection point you can't easily get rid of.
I know some guys writing an eBPF auditd replacement that is far more performant than auditd. At present, auditd tends to cause systems to slow to a crawl. Their WIP eBPF based prototype does not. If they succeed, eBPF could one day be a feature that improves security by making auditing something you could reasonably do on production machines outside government environments.
Anyway, eBPF is a great feature that has plenty of potential. Want to know the VFS cache hit rate? Use eBPF. Want to know which files are frequently accessed? Use eBPF. Want to know the distribution of filesystem/syscall/network latencies? Use eBPF. The iovisor/bcc project on GitHub makes doing such things with eBPF easy for system administrators. The sheer number of things it enables is far more than we would have with hard coded instrumentation in the kernel that only serves to bloat the kernel when not in use. eBPF gives us basically zero additional kernel bloat when not in use.
It also allows for debugging high frequency events, which was impossible with other means. ftrace for example imposed too much overhead to be used for frequently occurring events that lasted hundreds of nanoseconds because the overhead would cause the data to not match what happens on a production system. eBPF is low overhead enough that you can use it for that. It has been used inside Netflix for that purpose for years. See Brendan Gregg’s presentations for examples.Last edited by ryao; 17 August 2021, 05:15 PM.
- Likes 1
Comment
Comment