[LTP] [PATCH 1/1] bpf_prog0[5-7]: Run with kernel.unprivileged_bpf_disabled = 0

Petr Vorel pvorel@suse.cz
Fri Aug 19 12:31:48 CEST 2022 

> > Hi!
> > > --- a/testcases/kernel/syscalls/bpf/bpf_prog05.c
> > > +++ b/testcases/kernel/syscalls/bpf/bpf_prog05.c
> > > @@ -209,6 +209,11 @@ static struct tst_test test = {
> > >  		{&msg, .size = sizeof(MSG)},
> > >  		{}
> > >  	},
> > > +	.needs_root = 1,
> > > +	.save_restore = (const struct tst_path_val[]) {
> > > +		{"?/proc/sys/kernel/unprivileged_bpf_disabled", "0"},
> > > +		{}
> > > +	},

> > If we set needs_root the test would run under root and there is no need
> > to fiddle with the unprivileged_bpf_disabled at all.

> I expected that as well, but well, I don't know why, but:

> # cat /proc/sys/kernel/unprivileged_bpf_disabled
> 2

> # id
> uid=0(root) gid=0(root) groups=0(root)

> # ./bpf_prog05
> tst_buffers.c:55: TINFO: Test is using guarded buffers
> tst_test.c:1526: TINFO: Timeout per run is 0h 00m 30s
> bpf_common.c:16: TINFO: Raising RLIMIT_MEMLOCK to 10485760
> tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
> tst_capability.c:29: TINFO: Dropping CAP_BPF(39)
Maybe dropping CAP_BPF() causes that even running root is not enough.

Kind regards,
Petr

> bpf_common.c:39: TCONF: Hint: check also /proc/sys/kernel/unprivileged_bpf_disabled
> bpf_common.c:40: TCONF: bpf() requires CAP_SYS_ADMIN or CAP_BPF on this system: EPERM (1)

> Summary:
> passed   0
> failed   0
> broken   0
> skipped  2
> warnings 0

> I.e. 1 or 2 kernel.unprivileged_bpf_disabled results bpf() returning EPERM for
> *all* users including root. 0 allows running again for all users, but we need
> root to set it 0 via .save_restore:

> tst_sys_conf.c:106: TBROK: Failed to open FILE '/proc/sys/kernel/unprivileged_bpf_disabled' for writing: EACCES (13)

> Maybe we could change tst_sys_conf_save() not to write the value if value can be
> read and is the same (and not run tst_sys_conf_restore() if value was the same).

> That way we would not need to require root if value is the same.

> But it'd be nice to have some tag saying: maybe root is needed, depend on sysfs
> value...

> Kind regards,
> Petr

More information about the ltp mailing list