Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2633066imu; Thu, 29 Nov 2018 07:58:05 -0800 (PST) X-Google-Smtp-Source: AFSGD/V+lbRRnLCN4MvANvgEy/aUawd2hJLTqplFivQqy0dFMGcBcCEVxT33wy90t7czkmlq/snx X-Received: by 2002:a62:178f:: with SMTP id 137mr1893405pfx.226.1543507084970; Thu, 29 Nov 2018 07:58:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543507084; cv=none; d=google.com; s=arc-20160816; b=ue6KvBdPV8+RNGcMBKJE3YjF9aqgWWYCvxOrAXP1SPAPzSWvQ+VmcPLVNsLRfyEn7D q4NPq6I2EabhU5nAM2yOwhjqRXFEQFayA2vyfHuWtScskaNBG9cUougpoAbwFHI2mgt2 O02giid5CVL+65M8HnANBE7WRNrtpjY7Dgl1XOxi6fV9bBmSGu3xiA90+wdmRG3Zp/WH mgWX+snjXQyO2S4hpPAvv62ApZqjJMpGwqOom+dgDjxGufu3omAKQDvg0S+ZPRuZVdk/ IfmCC/wEiDR7jug1b2xHJMK87PS1e1yo0yn8DhDalvf0gsDZhS0UsYWUO+OZJXyPM5Hy jHGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id; bh=NXHud0dRYCTTyTqwW8h/55aJDX3633WpJmY9uOxVii4=; b=quH1moLQElc6P2p80yH+OEWp9XCEU8cbt/Z2S8UJrAmGO7fjAu9k5leyCS6XW3+um+ sUfAnxFDyWx3UGs+2HcOx7TVV4qjGelkX9QuBvbCMjnG3d/waYkcubFIsfdeXn5GK1wJ MuLrNIV90i8ZIGC6WBlcDi1cgqKzE6k5b4aiV7+O+IFNDeiMl/KIWKfNyUnnkkXVtOMp BKSVZAka6c955f+WKtp5/cbMQpk0w2uckC0EaFqPjVTBnGVCFAkuOzHrgyADyLcWXsFo dincwvl+3n3JWVSA7JtEbN+0x/72SEE9/sIX7GRRJrYig65NXryMgbyUng0nyQwY1PRN uxrg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m8si2543272plt.171.2018.11.29.07.57.46; Thu, 29 Nov 2018 07:58:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729104AbeK3DBu (ORCPT + 99 others); Thu, 29 Nov 2018 22:01:50 -0500 Received: from imap1.codethink.co.uk ([176.9.8.82]:54631 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728363AbeK3DBt (ORCPT ); Thu, 29 Nov 2018 22:01:49 -0500 Received: from office.codethink.co.uk ([148.252.241.226] helo=xylophone) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1gSOfU-0006EJ-59; Thu, 29 Nov 2018 15:55:56 +0000 Message-ID: <1543506955.2867.10.camel@codethink.co.uk> Subject: Re: [PATCH 1/3] bpf/verifier: Log instruction patching when verbose logging is enabled From: Ben Hutchings To: Daniel Borkmann , Alexei Starovoitov Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 29 Nov 2018 15:55:55 +0000 In-Reply-To: References: <20181123183356.5q4bu47zpj5wdufb@xylophone.i.decadent.org.uk> <20181123183455.qjokyt6zpa2yck6s@xylophone.i.decadent.org.uk> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-11-23 at 21:10 +0100, Daniel Borkmann wrote: > On 11/23/2018 07:34 PM, Ben Hutchings wrote: > > User-space does not have access to the patched eBPF code, but we > > need to be able to test that patches are being applied.  Therefore > > log distinct messages for each case that requires patching. > > Thanks for the patches, Ben! Above is actually not the case, e.g. privileged > admin can use something like 'bpftool prog dump xlated id ' and then the > BPF insns are dumped to user space for the program /after/ the verification, > so the rewrites can then be seen. Oh that's good. > test_verifier temporarily drops caps to > load and run the unprivileged cases, but we can extend the test suite to > retrieve and check the final insns after that happened. I think this would be > a nice extension to the test suite for cases like these and would also provide > better insight than verbose() statement saying that something has been > patched (but not the actual result of it). Agreed; I'll look into doing this instead. Ben. -- Ben Hutchings, Software Developer   Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom