On 12/13/2018 01:19 PM, Quentin Monnet wrote:
> Add a set of probes to dump the eBPF-related parameters available from
> /proc/: availability of bpf() syscall for unprivileged users,
> JIT compiler status and hardening status, kallsyms exports status.
>
> Sample output:
>
> # bpftool feature probe kernel
> Scanning system configuration...
> bpf() syscall for unprivileged users is enabled
> JIT compiler is disabled
> JIT compiler hardening is disabled
> JIT compiler kallsyms exports are disabled
> ...
>
> # bpftool --json --pretty feature probe kernel
> {
> "system_config": {
> "unprivileged_bpf_disabled": 0,
> "bpf_jit_enable": 0,
> "bpf_jit_harden": 0,
> "bpf_jit_kallsyms": 0
> },
> ...
> }
>
> # bpftool feature probe kernel macros prefix BPFTOOL_
> #define UNPRIVILEGED_BPF_DISABLED UNPRIVILEGED_BPF_DISABLED_OFF
> #define UNPRIVILEGED_BPF_DISABLED_OFF 0
> #define UNPRIVILEGED_BPF_DISABLED_ON 1
> #define UNPRIVILEGED_BPF_DISABLED_UNKNOWN -1
> #define JIT_COMPILER_ENABLE JIT_COMPILER_ENABLE_OFF
> #define JIT_COMPILER_ENABLE_OFF 0
> #define JIT_COMPILER_ENABLE_ON 1
> #define JIT_COMPILER_ENABLE_ON_WITH_DEBUG 2
> #define JIT_COMPILER_ENABLE_UNKNOWN -1
> #define JIT_COMPILER_HARDEN JIT_COMPILER_HARDEN_OFF
> #define JIT_COMPILER_HARDEN_OFF 0
> #define JIT_COMPILER_HARDEN_FOR_UNPRIVILEGED 1
> #define JIT_COMPILER_HARDEN_FOR_ALL_USERS 2
> #define JIT_COMPILER_HARDEN_UNKNOWN -1
> #define JIT_COMPILER_KALLSYMS JIT_COMPILER_KALLSYMS_OFF
> #define JIT_COMPILER_KALLSYMS_OFF 0
> #define JIT_COMPILER_KALLSYMS_FOR_ROOT 1
> #define JIT_COMPILER_KALLSYMS_UNKNOWN -1
> ...
Hm, given these knobs may change at any point in time, what would
be a use case in an application for these if they cannot be relied
upon? (At least the jit_enable and jit_harden are transparent to
the user.)
