Re: BPF64: proposal of platform-independent hardware-friendly backwards-compatible eBPF alternative
Date: Wed, 11 Sep 2024 09:05:18 UTC
On Wed, 11 Sep 2024 10:14:44 +0800 Philip Paeps <philip@trouble.is> wrote: > On 2024-09-11 06:12:28 (+0800), Vadim Goncharov wrote: > > David Chisnall <theraven@FreeBSD.org> wrote: > >> BPF can be loaded only by root, who can also load kernel modules > >> and map /dev/[k]mem, and FreeBSD does not protect the root <-> > >> kernel boundary. > > > > Wrong. It is possible for decades to do `chmod a+r /dev/bpf*` and > > run tcpdump as non-root, which will load BPF code into kernel. Is > > *that* also a vulnerability, and if so, why it was never reported? > > This is equivalent to chmod a+w /dev/mem. > > Unwise configuration decisions are not vulnerabilities. But then a possibility to give this to non-root is. And many things are considered vulnerabilitites even if they are only available to root - for example, when root can be tricked into running malicious code etc. (unconscious) actions without direct intention. Equivalency of classic BPF to writable /dev/mem is too loud and controversial statement. Demonstrate how it can be done on stock FreeBSD 13 with /dev/bpf available to attacker (e.g. `sudo tcpdump` allowed). -- WBR, @nuclight