无法以非超级用户身份运行bpf程序 [英] Unable to run bpf program as non root
问题描述
我正在尝试运行一个我编写的简单bpf程序.但是我不能以非root用户身份运行它.下面是我尝试加载的程序,它基本上获取指向fd为map_fd的地图的指针(我没有在创建地图的地方显示代码).它可以以root用户身份运行,但由于某些原因,非root用户会失败.
I am trying to run a simple bpf program that I wrote. But I am not able to run it as non root user. Below is the program I am trying to load, It basically gets the pointer to my map whose fd is map_fd (I am not showing the code where I create the map). It works as root but for some reason fails with non root user.
uname -a的输出
Output of uname -a
Linux 5.8.0-38-generic #43~20.04.1-Ubuntu SMP Tue Jan 12 16:39:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
BPF程序
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
BPF_LD_MAP_FD(BPF_REG_1,map_fd),
BPF_RAW_INSN(BPF_CALL | BPF_JMP, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_EXIT_INSN(),
推荐答案
TL; DR. Qeole是正确的,首先需要确保您使用的是允许用于非特权用户的BPF程序类型之一.用户.您还需要检查sysctl设置.最后,您当前的程序存在指针泄漏,应先解决该漏洞,然后再由无特权的用户加载该漏洞.
TL;DR. Qeole is correct, you first need to make sure you are using one of the BPF program types allowed for unprivileged users. You also need to check your sysctl settings. Finally, your current program has a pointer leak that should be fixed before it is loaded by an unprivileged users.
内核允许非特权用户仅加载两种类型的BPF程序,即 BPF_PROG_TYPE_SOCKET_FILTER
和 BPF_PROG_TYPE_CGROUP_SKB
.您可以在 kernel/bpf/syscall.c
.
The kernel allows unprivileged users to load only two types of BPF programs, BPF_PROG_TYPE_SOCKET_FILTER
and BPF_PROG_TYPE_CGROUP_SKB
. You can see the check in the kernel for that condition in kernel/bpf/syscall.c
.
kernel.unprivileged_bpf_disabled
sysctl控制非特权用户是否可以加载eBPF程序.不幸的是,在主要发行版中,它设置为0(允许加载).
The kernel.unprivileged_bpf_disabled
sysctl controls whether unprivileged users can load eBPF programs. It is unfortunately set to 0 (allow loading) on major distributions.
sysctl -w kernel.unprivileged_bpf_disabled=0
注意:如果您不使用非特权程序类型,我强烈建议将此sysctl设置为1.
Note: If you are not using unprivileged program types, I would strongly recommend to set this sysctl to 1.
不管上述设置如何,绝不允许非特权用户加载的BPF程序泄漏指向用户空间的指针.例如,如果程序正在返回指针,则到地图值,则被视为泄漏.就是你的情况.
Regardless of the above settings, BPF programs loaded by unprivileged users are never allowed to leak pointers to userspace. For example, if the program is returning a pointer to a map value, it is considered a leak. That's your case.
在调用 BPF_FUNC_map_lookup_elem
后,如果R0不为零,则应在返回值之前覆盖其值(设置为1?).
After the call to BPF_FUNC_map_lookup_elem
, if R0 is non-zero, you should overwrite its value (set to 1?) before returning it.
这篇关于无法以非超级用户身份运行bpf程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!