Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp3978525rwl; Sun, 2 Apr 2023 20:08:03 -0700 (PDT) X-Google-Smtp-Source: AKy350ZR/08bHl28C0b323p99IRt53nkzWVMHmxnvsPWQK4v3Nu4wKOl7ZU8sxKx7kT1VUVt9OpO X-Received: by 2002:aa7:d693:0:b0:502:a619:b6f2 with SMTP id d19-20020aa7d693000000b00502a619b6f2mr833889edr.10.1680491283703; Sun, 02 Apr 2023 20:08:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680491283; cv=none; d=google.com; s=arc-20160816; b=bf2RanRl+RtfXfXUkMp8LA2bigea3FdvI26YWHhbj45J18PQcz8DCYuP+0jdw8+7xG qHghFxyHgWcz3Fy28DBweW/CuvhsES7aqlS8twwAp5mhykyMFOfpC1nCId73qbvTYCzH /6NwLfI80F45ER6aJ782xUnxUK4SCAKbkzaDcCg7ut2O2HQnhRQviPgB19iMaPA/I4fp E41YyfxojN8fR7vCgec65HeddbBtGJSB7lHi52jyITt+S6E69dG73iKb24p2BC7814Cf do2xE8piA3ahIY6bqP3A9esv2oa51nYBgnDXpqFzUSzEvARRvy76unA3/tqSiSoy7BZw UA3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=MVpHSWVPXPhCwMSet+5Qdfvz4A3AKximww2ubzxMDls=; b=iSOgzNrzOtC8nIq4WWAvqDEDnsOJ917LbVMKy8zVnrPoJxfzx1AUs6n46mRCSJXzXE CrsbRhHOm7N85ZZ/ilkZqKcz9kHfll6o7dL25PkjfUz+PAUiE2CEgc+9pRTjNZ/XqMfv HIBPf0HhobrPqZQ6w2iunXh5kTBJS0EM8JxnpeKuK2iy2AMDmhh3F8M8NRWGVKnq4L8d Q6mknudcyWvSOsxh6ggSudhP7yfdiDOPKbYPOEwOSzx2LDlsKtp4pUG5BW6odcFj4viF RAs+Jah1/3ERF8wGX95d7ryvR+RigCZ37/4+5a2t3vlAq+KHWntPJFtc+1dtqw1cRoa1 w/ZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NCEPTZzp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b13-20020aa7c6cd000000b004fb8724cc4esi4377509eds.292.2023.04.02.20.07.36; Sun, 02 Apr 2023 20:08:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NCEPTZzp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230095AbjDCDGJ (ORCPT + 99 others); Sun, 2 Apr 2023 23:06:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229670AbjDCDGH (ORCPT ); Sun, 2 Apr 2023 23:06:07 -0400 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D86C659D; Sun, 2 Apr 2023 20:06:02 -0700 (PDT) Received: by mail-qt1-x836.google.com with SMTP id n14so27030311qta.10; Sun, 02 Apr 2023 20:06:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680491161; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=MVpHSWVPXPhCwMSet+5Qdfvz4A3AKximww2ubzxMDls=; b=NCEPTZzp7vT2RjILBwPZ851j1Z87CT9aGjL5VIUzghm3DTaDr06vg9TsQ46OM8Yvst eV2TNhziUC9veM8Bo+VY9ih7tx2q2oVKwTauiKQVtfrDRnLtX8jGLDe+p03VVRtENDFq 5N7wiXi+8RJ4YqmPZXGDZZhmGfm+Xj7Gpw4l9QwK6et/NHiG5MOwOHkrLBvAjBzb/9vi cYi3XYdz5uNenMAu3JfXr+X1ENUvfukTEfVf2QPMcIZj9n5XNHTNNW5kWEaygwYZLqJ1 zAoOcJPCXxNE5fpEgU4WHCScABiutyzpkqdbIDiEdRH49cTtjSnMJuwYXX7yR7f4yw3o gqZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680491161; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MVpHSWVPXPhCwMSet+5Qdfvz4A3AKximww2ubzxMDls=; b=A/PWRHnezP2zgqhPF83UBot1b2uKvSY7sIgGhYa6l/ZWyPHWWWglYbgVC2+trUb3pU XgiQWav1gjP2K7XhUuvFz0vTh/f0QehfF+vDJ4ojJN/krkEzIVNZYTyLqQuy01N4yvHF E6/HtdfSgn6SruEap/dmEUUtGgNHQ4N9Big1hhjevCvHQg3QevGilngVJwHl7t2+lvVf lNPFty4OHTZN25NOnrLrJB7BwaBt2/pxPC/2ubi3/TVv1EPJdqE77Tke6mwgSFrqljWt SlNdam3TkZoPSJOaDUC6ZmtiUamrZrTjWAUJ34b1S1h2oOSyOyBuE6BumvhekqhMGkze aetg== X-Gm-Message-State: AO0yUKW4UOCgRpQ9OemeOkDw4pLqcFYngVDRxLWLKSMjpPOLYXQ37qk8 YajhZAq+Zg1e3FKZW+ei0mZHtZ3hWy+3QMGEbVM= X-Received: by 2002:a05:622a:1a02:b0:3e3:f70f:fb13 with SMTP id f2-20020a05622a1a0200b003e3f70ffb13mr12426978qtb.6.1680491161713; Sun, 02 Apr 2023 20:06:01 -0700 (PDT) MIME-Version: 1.0 References: <20230326092208.13613-1-laoar.shao@gmail.com> <20230402233740.haxb7lgfavcoe27f@dhcp-172-26-102-232.dhcp.thefacebook.com> In-Reply-To: <20230402233740.haxb7lgfavcoe27f@dhcp-172-26-102-232.dhcp.thefacebook.com> From: Yafang Shao Date: Mon, 3 Apr 2023 11:05:25 +0800 Message-ID: Subject: Re: [RFC PATCH bpf-next 00/13] bpf: Introduce BPF namespace To: Alexei Starovoitov Cc: Song Liu , ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 3, 2023 at 7:37=E2=80=AFAM Alexei Starovoitov wrote: > > On Tue, Mar 28, 2023 at 11:47:31AM +0800, Yafang Shao wrote: > > On Tue, Mar 28, 2023 at 3:04=E2=80=AFAM Song Liu wrot= e: > > > > > > On Sun, Mar 26, 2023 at 2:22=E2=80=AFAM Yafang Shao wrote: > > > > > > > > Currently only CAP_SYS_ADMIN can iterate BPF object IDs and convert= IDs > > > > to FDs, that's intended for BPF's security model[1]. Not only does = it > > > > prevent non-privilidged users from getting other users' bpf program= , but > > > > also it prevents the user from iterating his own bpf objects. > > > > > > > > In container environment, some users want to run bpf programs in th= eir > > > > containers. These users can run their bpf programs under CAP_BPF an= d > > > > some other specific CAPs, but they can't inspect their bpf programs= in a > > > > generic way. For example, the bpftool can't be used as it requires > > > > CAP_SYS_ADMIN. That is very inconvenient. > > > > > > Agreed that it is important to enable tools like bpftool without > > > CAP_SYS_ADMIN. However, I am not sure whether we need a new > > > namespace for this. Can we reuse some existing namespace for this? > > > > > > > It seems we can't. > > Yafang, > > It's a Nack. > > The only thing you've been trying to "solve" with bpf namespace is to > allow 'bpftool prog show' iterate progs in the "namespace" without CAP_SY= S_ADMIN. > The concept of bpf namespace is not even close to be thought through. Right, it is more likely a PoC in its current state. > Others pointed out the gaps in the design. Like bpffs. There are plenty. > Please do not send patches like this in the future. The reason I sent it with an early state is that I want to get some early feedback from the community ahead of the LSF/MM/BPF workshop, then I can improve it based on these feedbacks and present it more specifically at the workshop. Then the discussion will be more effective. > You need to start with describing the problem you want to solve, > then propose _several_ solutions, describe their pros and cons, > solicit feedback, present at the conferences (like LSFMMBPF or LPC), > and when the community agrees that 1. problem is worth solving, > 2. the solution makes sense, only then work on patches. > I would like to give a short discussion on the BPF namespace if everything goes fine. > "In container environment, some users want to run bpf programs in their c= ontainers." > is something Song brought up at LSFMMBPF a year ago. > At that meeting most of the folks agreed that there is a need to run bpf > in containers and make sure that the effect of bpf prog is limited to a c= ontainer. > This new namespace that creates virtual IDs for progs and maps doesn't co= me > close in solving this task. Currently in our production environment, all the containers running bpf programs are privileged, that is risky. So actually the goal of the BPF namespace is to make them (or part of them) non-privileged. But some of the abilities of these bpf programs will be lost in this procedure, like the debug-bility with bpftool, so we need to fix it. Agree with you that this goal is far from making bpf programs safely running in a container environment. --=20 Regards Yafang