"Arbitrary read+write via incorrect range tracking in eBPF." eBPF lets userspace programs inject code into the kernel for the kernel to run. The kernel is only supposed to accept code that's safe. That requires a correct verifier. Here the verifier was not correctly verified.https://twitter.com/esizkur/status/943938258987372545 …
That's what the manpage says, but https://lwn.net/Articles/660331/ … says unprivileged BPF is a thing since Linux 4.4.
-
-
seccomp-pbf is what all modern sandboxing is built on. Chrome and Firefox both use it.
-
seccomp-bpf was originally defense-in-depth for proper sandboxing (Firefox is doing things kind of backwards, for reasons), and it was added in 3.5; it's always been unprivileged AFAIK. eBPF is not much like BPF and it's more of a dtrace replacement AIUI.
-
eBPF is used for various things, including tracing and monitoring like dtrace. But also for packet processing like the old BPF version. I expect seccomp will work with eBPF at some point.
End of conversation
New conversation -
-
-
wow .. TIL. although, looks like there is a sysctl to disable that. so you don't have to wait for upstream patches.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
You have several kernel hooks where you can attach eBPF programs (sockets, TC, XDP, kprobes, tracepoints …). Unprivileged eBPF can be allowed for sockets (see sysctl kernel.unprivileged_bpf_disabled), all others need admin cap. Careful with that man page, it's really outdated :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.