- Program: dnsdist
- Issue type: Bug report
Short description
We used to be able to run our eBPF socket filtering code with CAP_BPF, but the eBPF verifier has been made more strict in recent kernels and our existing code now requires CAP_SYS_ADMIN, failing with attempt to corrupt spilled pointer on stack otherwise.
Note that some distributions have already backported the more strict verifier to "stable" kernels.
For now the work-around is simple: we need to keep CAP_SYS_ADMIN instead of CAP_BPF. I'll edit the documentation and our systemd unit file shortly.
Then we need to figure out if we can write eBPF code that does not generate such an issue. I tried re-generating the code with a recent version of LLVM (17.0.6) but it did not help. I also tried eliminating the offending code by hand, but there is at least two other occurrences triggering the issue and one of them seems quite hard to fix.
Action points for me:
Short description
We used to be able to run our
eBPFsocket filtering code withCAP_BPF, but the eBPF verifier has been made more strict in recent kernels and our existing code now requiresCAP_SYS_ADMIN, failing withattempt to corrupt spilled pointer on stackotherwise.Note that some distributions have already backported the more strict verifier to "stable" kernels.
For now the work-around is simple: we need to keep
CAP_SYS_ADMINinstead ofCAP_BPF. I'll edit the documentation and our systemd unit file shortly.Then we need to figure out if we can write eBPF code that does not generate such an issue. I tried re-generating the code with a recent version of LLVM (17.0.6) but it did not help. I also tried eliminating the offending code by hand, but there is at least two other occurrences triggering the issue and one of them seems quite hard to fix.
Action points for me:
CAP_SYS_ADMIN#14280CAP_BPFis no longer enough #14281