diff mbox series

[bpf-next] bpftool: bash-completion: Add nopasswd sudo prefix for bpftool

Message ID tencent_515567355C0AA854BDA68C3A219A18040B0A@qq.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series [bpf-next] bpftool: bash-completion: Add nopasswd sudo prefix for bpftool | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success Errors and warnings before: 26 (+1) this patch: 26 (+1)
netdev/cc_maintainers success CCed 15 of 15 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 91 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / GCC BPF
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-12 success Logs for aarch64-gcc / veristat-meta
bpf/vmtest-bpf-next-VM_Test-11 success Logs for aarch64-gcc / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / GCC BPF
bpf/vmtest-bpf-next-VM_Test-19 success Logs for s390x-gcc / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-18 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for s390x-gcc / veristat-meta
bpf/vmtest-bpf-next-VM_Test-21 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-17 / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-17 / veristat-meta
bpf/vmtest-bpf-next-VM_Test-43 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-44 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-next-VM_Test-50 success Logs for x86_64-llvm-18 / veristat-kernel
bpf/vmtest-bpf-next-VM_Test-51 success Logs for x86_64-llvm-18 / veristat-meta
bpf/vmtest-bpf-next-VM_Test-8 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / GCC BPF / GCC BPF
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-gcc / veristat-kernel / x86_64-gcc veristat_kernel
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-gcc / veristat-meta / x86_64-gcc veristat_meta
bpf/vmtest-bpf-next-VM_Test-42 success Logs for x86_64-llvm-18 / GCC BPF / GCC BPF
bpf/vmtest-bpf-next-VM_Test-45 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-49 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / GCC BPF / GCC BPF
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-46 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-47 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-48 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18

Commit Message

Rong Tao Feb. 12, 2025, 10:14 a.m. UTC 
From: Rong Tao <rongtao@cestc.cn>

In the bpftool script of bash-completion, many bpftool commands require
superuser privileges to execute. Otherwise, Operation not permission will
be displayed. Here, we check whether ordinary users are exempt from
entering the sudo password. If so, we need to add the sudo prefix to the
bpftool command to be executed. In this way, we can obtain the correct
command completion content instead of the wrong one.

For example, when updating array_of_maps, the wrong 'hex' is completed:

    $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
    $ sudo bpftool map update name arr_maps key 0 0 0 0 value hex

However, what we need is "id name pinned". Similarly, there is the same
problem in getting the map 'name' and 'id':

    $ sudo bpftool map show name [tab] < get nothing
    $ sudo bpftool map show id [tab]   < get nothing

This commit fixes the issue.

    $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
    id      name    pinned

    $ sudo bpftool map show name
    arr_maps         cgroup_hash      inner_arr1       inner_arr2

    $ sudo bpftool map show id
    11    1383  4091  4096

Signed-off-by: Rong Tao <rongtao@cestc.cn>
---
 tools/bpf/bpftool/bash-completion/bpftool | 29 +++++++++++++++--------
 1 file changed, 19 insertions(+), 10 deletions(-)

Comments

Quentin Monnet Feb. 12, 2025, 11 a.m. UTC | #1 
2025-02-12 18:14 UTC+0800 ~ Rong Tao <rtoax@foxmail.com>
> From: Rong Tao <rongtao@cestc.cn>
> 
> In the bpftool script of bash-completion, many bpftool commands require
> superuser privileges to execute. Otherwise, Operation not permission will
> be displayed. Here, we check whether ordinary users are exempt from
> entering the sudo password. If so, we need to add the sudo prefix to the
> bpftool command to be executed. In this way, we can obtain the correct
> command completion content instead of the wrong one.
> 
> For example, when updating array_of_maps, the wrong 'hex' is completed:
> 
>     $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
>     $ sudo bpftool map update name arr_maps key 0 0 0 0 value hex
> 
> However, what we need is "id name pinned". Similarly, there is the same
> problem in getting the map 'name' and 'id':
> 
>     $ sudo bpftool map show name [tab] < get nothing
>     $ sudo bpftool map show id [tab]   < get nothing
> 
> This commit fixes the issue.
> 
>     $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
>     id      name    pinned
> 
>     $ sudo bpftool map show name
>     arr_maps         cgroup_hash      inner_arr1       inner_arr2
> 
>     $ sudo bpftool map show id
>     11    1383  4091  4096
> 
> Signed-off-by: Rong Tao <rongtao@cestc.cn>

Hi, thanks for the patch.

I agree it's annoying to have a partially-working completion for
non-root users, however, I don't feel very comfortable introducing calls
to "sudo" in bash completion, without the user noticing. For what it's
worth, I searched other bash completion files (from
https://github.com/scop/bash-completion/) and I can't find any of them
running sudo to help complete commands, so it doesn't seem to be
something usual in completion. I think I'd rather keep the current state
(or fix the first example to have the right keywords displayed but
without running sudo).

Quentin
Rong Tao Feb. 12, 2025, 11:21 a.m. UTC | #2 
On 2/12/25 19:00, Quentin Monnet wrote:
> 2025-02-12 18:14 UTC+0800 ~ Rong Tao <rtoax@foxmail.com>
>> From: Rong Tao <rongtao@cestc.cn>
>>
>> In the bpftool script of bash-completion, many bpftool commands require
>> superuser privileges to execute. Otherwise, Operation not permission will
>> be displayed. Here, we check whether ordinary users are exempt from
>> entering the sudo password. If so, we need to add the sudo prefix to the
>> bpftool command to be executed. In this way, we can obtain the correct
>> command completion content instead of the wrong one.
>>
>> For example, when updating array_of_maps, the wrong 'hex' is completed:
>>
>>      $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
>>      $ sudo bpftool map update name arr_maps key 0 0 0 0 value hex
>>
>> However, what we need is "id name pinned". Similarly, there is the same
>> problem in getting the map 'name' and 'id':
>>
>>      $ sudo bpftool map show name [tab] < get nothing
>>      $ sudo bpftool map show id [tab]   < get nothing
>>
>> This commit fixes the issue.
>>
>>      $ sudo bpftool map update name arr_maps key 0 0 0 0 value [tab]
>>      id      name    pinned
>>
>>      $ sudo bpftool map show name
>>      arr_maps         cgroup_hash      inner_arr1       inner_arr2
>>
>>      $ sudo bpftool map show id
>>      11    1383  4091  4096
>>
>> Signed-off-by: Rong Tao <rongtao@cestc.cn>
> Hi, thanks for the patch.
>
> I agree it's annoying to have a partially-working completion for
> non-root users, however, I don't feel very comfortable introducing calls
> to "sudo" in bash completion, without the user noticing. For what it's
> worth, I searched other bash completion files (from
> https://github.com/scop/bash-completion/) and I can't find any of them
> running sudo to help complete commands, so it doesn't seem to be
> something usual in completion. I think I'd rather keep the current state
> (or fix the first example to have the right keywords displayed but
> without running sudo).

Thanks for the reply.

Using sudo to perform bash-completion is indeed not a perfect solution. 
However, using "bpftool map show" to obtain map information may be the 
only way, and this operation requires CAP_ADMIN, which may be a 
compromise. There is no other way.

Rong Tao
diff mbox series

Patch

diff --git a/tools/bpf/bpftool/bash-completion/bpftool b/tools/bpf/bpftool/bash-completion/bpftool
index 1ce409a6cbd9..25fb859cdfa4 100644
--- a/tools/bpf/bpftool/bash-completion/bpftool
+++ b/tools/bpf/bpftool/bash-completion/bpftool
@@ -5,6 +5,15 @@ 
 #
 # Author: Quentin Monnet <quentin.monnet@netronome.com>
 
+# In the bpftool script of bash-completion, many bpftool commands require
+# superuser privileges to be executed. Otherwise, EPERM will occur. Here,
+# it is detected whether ordinary users are exempt from sudo passwords. If
+# so, it is necessary to add the "sudo" prefix to the required bpftool
+# command execution.
+if sudo --non-interactive true 2>/dev/null; then
+    _sudo=sudo
+fi
+
 # Takes a list of words in argument; each one of them is added to COMPREPLY if
 # it is not already present on the command line. Returns no value.
 _bpftool_once_attr()
@@ -46,7 +55,7 @@  _bpftool_one_of_list()
 
 _bpftool_get_map_ids()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp map  2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp map  2>&1 | \
         command sed -n 's/.*"id": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
@@ -54,14 +63,14 @@  _bpftool_get_map_ids()
 _bpftool_get_map_ids_for_type()
 {
     local type="$1"
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp map  2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp map  2>&1 | \
         command grep -C2 "$type" | \
         command sed -n 's/.*"id": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_map_names()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp map  2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp map  2>&1 | \
         command sed -n 's/.*"name": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
@@ -69,38 +78,38 @@  _bpftool_get_map_names()
 _bpftool_get_map_names_for_type()
 {
     local type="$1"
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp map  2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp map  2>&1 | \
         command grep -C2 "$type" | \
         command sed -n 's/.*"name": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_prog_ids()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp prog 2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp prog 2>&1 | \
         command sed -n 's/.*"id": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_prog_tags()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp prog 2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp prog 2>&1 | \
         command sed -n 's/.*"tag": "\(.*\)",$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_prog_names()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp prog 2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp prog 2>&1 | \
         command sed -n 's/.*"name": "\(.*\)",$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_btf_ids()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp btf 2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp btf 2>&1 | \
         command sed -n 's/.*"id": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
 _bpftool_get_link_ids()
 {
-    COMPREPLY+=( $( compgen -W "$( bpftool -jp link 2>&1 | \
+    COMPREPLY+=( $( compgen -W "$( ${_sudo} bpftool -jp link 2>&1 | \
         command sed -n 's/.*"id": \(.*\),$/\1/p' )" -- "$cur" ) )
 }
 
@@ -156,7 +165,7 @@  _bpftool_map_guess_map_type()
     [[ -z $ref ]] && return 0
 
     local type
-    type=$(bpftool -jp map show $keyword $ref | \
+    type=$(${_sudo} bpftool -jp map show $keyword $ref | \
         command sed -n 's/.*"type": "\(.*\)",$/\1/p')
     [[ -n $type ]] && printf $type
 }