How eBPF Program is Executed
eBPF program can be interpreted as bytecode, or compiled into native code and loaded into the kernel. eBPF program, either interpreted or compiled, should be verified by eBPF-verifier.
CONFIG_JIT_ALWAYS_ON
config option decides an eBPF program is compiled into the native code. Distributions open this configuration by default. Yet defconfig disable this config by default.
JIT brings performance benefits, yet requires much engineering work.
Required Priviledge
In linux v5.8 and previous versions, certain eBPF programs require CAP_BPF, like socket filters.
In linux v6 and after versions, eBPF program can be loaded by normal users, but require a special config option.
eBPF Engeering Issue
- eBPF verifier kill normal programs.
- eBPF verifier cannot detect out-of-bound write.
- eBPF debugging is not user friendly.
- Optimization may effect eBPF verifier.
- Helper function has different behavior
BPF_read_user()
helper function issue on ARM (v7.1 and above)- caused by PAN feature
- Issue Track
- Patch Mail
eBPF Security Issue
If a data pointer pointing to an eBPF program is manipulated and redirected to a vulnerale eBPF program, interpreter can just interpret an eBPF shellcode. Such shellcode can bypass the eBPF-verifier.
When a eBPF tailcall load the malicious pointer, shellcode can be interpreted.