On Jun 28, 2019, at 2:01 AM, Lorenz Bauer [off-list ref] wrote:

On Thu, 27 Jun 2019 at 21:19, Song Liu [off-list ref] wrote:

quoted

This patch introduce unprivileged BPF access. The access control is
achieved via device /dev/bpf. Users with write access to /dev/bpf are able
to call sys_bpf().

Two ioctl command are added to /dev/bpf:

The two commands enable/disable permission to call sys_bpf() for current
task. This permission is noted by bpf_permitted in task_struct. This
permission is inherited during clone(CLONE_THREAD).

If I understand it correctly, a process would have to open /dev/bpf before
spawning other threads for this to work?

That still wouldn't work for Go I'm afraid. The runtime creates and destroys
threads on an ad-hoc basis, and there is no way to "initialize" in the
first thread.

There should be a master thread, no? Can we do that from the master thread at
the beginning of the execution?

With the API as is, any Go wrapper wishing to use this would have to do the
following _for every BPF syscall_:

1. Use runtime.LockOSThread() to prevent the scheduler from moving the
   goroutine.
2. Open /dev/bpf to set the bit in current_task
3. Execute the syscall
4. Call runtime.UnlockOSThread()

Note that calling into C code via CGo doesn't change this. Is it not possible to
set the bit on all processes in the current thread group?

I think that's possible, with some extra work. And there will be overhead, as 
we need to atomic operation for all these processes. I would rather not to this
path unless it is really necessary. 

Thanks,
Song