|
|
Subscribe / Log in / New account

New AT_ flags for restricting pathname lookup

New AT_ flags for restricting pathname lookup

Posted Oct 4, 2018 22:52 UTC (Thu) by neilbrown (subscriber, #359)
Parent article: New AT_ flags for restricting pathname lookup

Surely this could be vastly simplified by allowing an eBPF program to be attached to a file descriptor so that when a path_lookup starts from that file descriptor, the eBPF program is used to vet or modify the lookup of each component.

to post comments

New AT_ flags for restricting pathname lookup

Posted Oct 4, 2018 23:03 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

No......

Please, no more eBPF. It never ever works outside of kernel developers' machines.

New AT_ flags for restricting pathname lookup

Posted Oct 5, 2018 7:31 UTC (Fri) by flewellyn (subscriber, #5047) [Link] (4 responses)

I believe neilbrown was joking. I have no evidence for this, but I am desperately choosing to believe it anyway.

New AT_ flags for restricting pathname lookup

Posted Oct 5, 2018 7:34 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

I hope so. I've just spent a day debugging a eBPF filter written by somebody else and it's NOT a nice experience at all.

Debugging infrastructure is sorely lacking for it.

New AT_ flags for restricting pathname lookup

Posted Oct 5, 2018 12:10 UTC (Fri) by nix (subscriber, #2304) [Link] (2 responses)

eBPF is a nice thing to have if machine-generated (it's a rather nice and orthogonal assembler, and the ability to add helpers is just a killer feature that I wish real assemblers had!), but it's about as pleasant to debug programs written in it as any other assembler: i.e. fairly easy if you're familiar with the code generator, a nightmare otherwise, doubly so if this is the less regular land of handwritten code, disassembled and devoid of comments.

New AT_ flags for restricting pathname lookup

Posted Oct 5, 2018 17:14 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

It's way worse than assembly. With assembly you can typically use debuggers to trace the execution and inspect the environment. Nothing comparable exists for eBPF.

New AT_ flags for restricting pathname lookup

Posted Oct 5, 2018 22:24 UTC (Fri) by nix (subscriber, #2304) [Link]

Generally I do the same thing when debugging eBPF that I do when debugging other programs: printf()! In the case of eBPF you throw in a helper that does a printk() and chuck in calls to the helper liberally. (This is not so useful if you can't modify the eBPF, mind you.)

New AT_ flags for restricting pathname lookup

Posted Oct 4, 2018 23:55 UTC (Thu) by luto (guest, #39314) [Link]

It would be “simple” in the sense that getting the eBPF right would be at least as difficult as getting the kernel code with the AT flags right would be. But with eBPF, no one would ever review it carefully or fix the bugs.

eBPF is flexible, but it’s not magic.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds