Re: [PATCH] Add a sysctl option to disable bpf offensive helpers.

From: Christoph Hellwig <hch@infradead.org>
Date: 2023-06-12 04:18:58
Also in: bpf, linux-security-module, linux-trace-kernel, lkml

On Sat, Jun 10, 2023 at 03:26:18PM +0000, Yi He wrote:

The default value of sysctl_offensive_bpf_disabled is 0, which means 
all the five helpers are enabled. By setting sysctl_offensive_bpf_disabled 
to 1, these helpers cannot be used util a reboot. By setting it to 2, 
these helpers cannot be used but privieleged users can modify this flag
to 0.

That's just a nightmare API.  The right thing is to not allow
program types that can use the helpers from anything but a global
fully privileged context.

And offensive is in this context a really weird term.  Nothing is
offensive here, invasive or allowing to change kernel state might be
better terms.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help