| Message ID | 20200429144506.8999-1-quentin@isovalent.com |
|---|---|
| Headers | show |
| Series | tools: bpftool: probe features for unprivileged users | expand |
Quentin Monnet wrote: > This set allows unprivileged users to probe available features with > bpftool. On Daniel's suggestion, the "unprivileged" keyword must be passed > on the command line to avoid accidentally dumping a subset of the features > supported by the system. When used by root, this keyword makes bpftool drop > the CAP_SYS_ADMIN capability and print the features available to > unprivileged users only. > > The first patch makes a variable global in feature.c to avoid piping too > many booleans through the different functions. The second patch introduces > the unprivileged probing, adding a dependency to libcap. Then the third > patch makes this dependency optional, by restoring the initial behaviour > (root only can probe features) if the library is not available. > > Cc: Richard Palethorpe <rpalethorpe@suse.com> > Cc: Michael Kerrisk <mtk.manpages@gmail.com> > > v3: Update help message for bpftool feature probe ("unprivileged"). > > v2: Add "unprivileged" keyword, libcap check (patches 1 and 3 are new). > > Quentin Monnet (3): > tools: bpftool: for "feature probe" define "full_mode" bool as global > tools: bpftool: allow unprivileged users to probe features > tools: bpftool: make libcap dependency optional > > .../bpftool/Documentation/bpftool-feature.rst | 12 +- > tools/bpf/bpftool/Makefile | 13 +- > tools/bpf/bpftool/bash-completion/bpftool | 2 +- > tools/bpf/bpftool/feature.c | 143 +++++++++++++++--- > 4 files changed, 143 insertions(+), 27 deletions(-) > > -- > 2.20.1 > For the series, Acked-by: John Fastabend <john.fastabend@gmail.com>
On 4/29/20 4:45 PM, Quentin Monnet wrote: > This set allows unprivileged users to probe available features with > bpftool. On Daniel's suggestion, the "unprivileged" keyword must be passed > on the command line to avoid accidentally dumping a subset of the features > supported by the system. When used by root, this keyword makes bpftool drop > the CAP_SYS_ADMIN capability and print the features available to > unprivileged users only. > > The first patch makes a variable global in feature.c to avoid piping too > many booleans through the different functions. The second patch introduces > the unprivileged probing, adding a dependency to libcap. Then the third > patch makes this dependency optional, by restoring the initial behaviour > (root only can probe features) if the library is not available. > > Cc: Richard Palethorpe <rpalethorpe@suse.com> > Cc: Michael Kerrisk <mtk.manpages@gmail.com> > > v3: Update help message for bpftool feature probe ("unprivileged"). > > v2: Add "unprivileged" keyword, libcap check (patches 1 and 3 are new). > > Quentin Monnet (3): > tools: bpftool: for "feature probe" define "full_mode" bool as global > tools: bpftool: allow unprivileged users to probe features > tools: bpftool: make libcap dependency optional > > .../bpftool/Documentation/bpftool-feature.rst | 12 +- > tools/bpf/bpftool/Makefile | 13 +- > tools/bpf/bpftool/bash-completion/bpftool | 2 +- > tools/bpf/bpftool/feature.c | 143 +++++++++++++++--- > 4 files changed, 143 insertions(+), 27 deletions(-) > Applied, thanks!
This set allows unprivileged users to probe available features with bpftool. On Daniel's suggestion, the "unprivileged" keyword must be passed on the command line to avoid accidentally dumping a subset of the features supported by the system. When used by root, this keyword makes bpftool drop the CAP_SYS_ADMIN capability and print the features available to unprivileged users only. The first patch makes a variable global in feature.c to avoid piping too many booleans through the different functions. The second patch introduces the unprivileged probing, adding a dependency to libcap. Then the third patch makes this dependency optional, by restoring the initial behaviour (root only can probe features) if the library is not available. Cc: Richard Palethorpe <rpalethorpe@suse.com> Cc: Michael Kerrisk <mtk.manpages@gmail.com> v3: Update help message for bpftool feature probe ("unprivileged"). v2: Add "unprivileged" keyword, libcap check (patches 1 and 3 are new). Quentin Monnet (3): tools: bpftool: for "feature probe" define "full_mode" bool as global tools: bpftool: allow unprivileged users to probe features tools: bpftool: make libcap dependency optional .../bpftool/Documentation/bpftool-feature.rst | 12 +- tools/bpf/bpftool/Makefile | 13 +- tools/bpf/bpftool/bash-completion/bpftool | 2 +- tools/bpf/bpftool/feature.c | 143 +++++++++++++++--- 4 files changed, 143 insertions(+), 27 deletions(-)