On Fri, Jun 27, 2014 at 10:55 PM, Alexei Starovoitov [off-list ref] wrote:

On Fri, Jun 27, 2014 at 5:16 PM, Andy Lutomirski [off-list ref] wrote:

quoted

On Fri, Jun 27, 2014 at 5:05 PM, Alexei Starovoitov [off-list ref] wrote:

quoted

BPF syscall is a demux for different BPF releated commands.

'maps' is a generic storage of different types for sharing data between kernel
and userspace.

The maps can be created/deleted from user space via BPF syscall:
- create a map with given id, type and attributes
  map_id = bpf_map_create(int map_id, map_type, struct nlattr *attr, int len)
  returns positive map id or negative error

- delete map with given map id
  err = bpf_map_delete(int map_id)
  returns zero or negative error

What's the scope of "id"?  How is it secured?

the map and program id space is global and it's cap_sys_admin only.
There is no pressing need to do it with per-user limits.
So the whole thing is root only for now.

Hmm.  This may be unpleasant if you ever want to support non-root or
namespaced operation.

How hard would it be to give these things fds?

Since I got your attention please review the most interesting
verifier bits (patch 08/14) ;)

Will do.  Or at least I'll try :)

--Andy

-- 
Andy Lutomirski
AMA Capital Management, LLC