Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
362 views
in Technique[技术] by (71.8m points)

ebpf - bpf resource limit using setrlimit

When writing bpf programs, some online tutorials always use

struct rlimit rlim_new = {
        .rlim_cur   = RLIM_INFINITY,
        .rlim_max   = RLIM_INFINITY,
};

setrlimit(RLIMIT_MEMLOCK, &rlim_new);

to remove memory usage limitation for the bpf programs. This makes the program require root privilege. I wonder if there is something equivalent that does not require root privilege.

Thanks, Peng.

question from:https://stackoverflow.com/questions/66055530/bpf-resource-limit-using-setrlimit

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Not possible

From man setrlimit:

The getrlimit() and setrlimit() system calls get and set resource limits respectively. Each resource has an associated soft and hard limit, as defined by the rlimit structure:

struct rlimit {
    rlim_t rlim_cur;  /* Soft limit */
    rlim_t rlim_max;  /* Hard limit (ceiling for rlim_cur) */
};

The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit: an unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability) may make arbitrary changes to either limit value.

As you can read, a non-root process (or rather, without the relevant capacity) can only lower its memory limit. This answers your question: There is no equivalent for unprivileged users. Which makes sense, because the purpose of the memory limit is to prevent unprivileged users to harm the system in the first place, and allowing them to bypass the limit would kind of defeat that objective.

Seldom an issue

It is usually not an issue, because most eBPF-related operations require some privileges anyway. It used to be CAP_SYS_ADMIN, it is now a combination of CAP_SYS_ADMIN, CAP_BPF, CAP_NET_ADMIN, CAP_PEFMON depending on the program types and features used. One notable exception are eBPF programs attached to network sockets, which may be attached without privileges, if the kernel.unprivileged_bpf_disabled control knob has been set accordingly and if the program does not use forbidden features, see also this answer.

About to change

Note also that the memory accounting for eBPF objects is changing, and newer kernels (starting with 5.11) will use cgroup-based memory usage, so the call to setrlimit() for eBPF objects will become obsolete.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...