1

When writing bpf programs, some online tutorials always use

struct rlimit rlim_new = {
        .rlim_cur   = RLIM_INFINITY,
        .rlim_max   = RLIM_INFINITY,
};

setrlimit(RLIMIT_MEMLOCK, &rlim_new);

to remove memory usage limitation for the bpf programs. This makes the program require root privilege. I wonder if there is something equivalent that does not require root privilege.

Thanks, Peng.

pyang
  • 109
  • 7

1 Answers1

1

Not possible

From man setrlimit:

The getrlimit() and setrlimit() system calls get and set resource limits respectively. Each resource has an associated soft and hard limit, as defined by the rlimit structure:

struct rlimit {
    rlim_t rlim_cur;  /* Soft limit */
    rlim_t rlim_max;  /* Hard limit (ceiling for rlim_cur) */
};

The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit: an unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability) may make arbitrary changes to either limit value.

As you can read, a non-root process (or rather, without the relevant capacity) can only lower its memory limit. This answers your question: There is no equivalent for unprivileged users. Which makes sense, because the purpose of the memory limit is to prevent unprivileged users to harm the system in the first place, and allowing them to bypass the limit would kind of defeat that objective.

Seldom an issue

It is usually not an issue, because most eBPF-related operations require some privileges anyway. It used to be CAP_SYS_ADMIN, it is now a combination of CAP_SYS_ADMIN, CAP_BPF, CAP_NET_ADMIN, CAP_PEFMON depending on the program types and features used. One notable exception are eBPF programs attached to network sockets, which may be attached without privileges, if the kernel.unprivileged_bpf_disabled control knob has been set accordingly and if the program does not use forbidden features, see also this answer.

About to change

Note also that the memory accounting for eBPF objects is changing, and newer kernels (starting with 5.11) will use cgroup-based memory usage, so the call to setrlimit() for eBPF objects will become obsolete.

Qeole
  • 8,284
  • 1
  • 24
  • 52
  • Thanks for the reply. Another related question. I am using a relative old kernel, and do not have bpf_spin_lock. In this case, if I want to modify a structure in the map, I have to make a copy, modify the copy and put the copy back in using map update, in order to avoid concurrency problems. Is that right? – pyang Feb 10 '21 at 01:26
  • If you modify several members of the struct, then yes, I think so. When you push your copy with `bpf_map_elem_update()`, the update will be protected with an RCU. – Qeole Feb 10 '21 at 09:24