RE: [PATCH net-next 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[YUAN Linyu]

hi

> -Original Message-
> From: netdev-ow...@vger.kernel.org [mailto:netdev-ow...@vger.kernel.org]
> On Behalf Of Chenbo Feng
> Sent: Thursday, June 01, 2017 2:07 AM
> To: netdev@vger.kernel.org; David Miller
> Cc: Lorenzo Colitti; Chenbo Feng
> Subject: [PATCH net-next 2/2] bpf: Remove the capability check for cgroup skb
> eBPF program
> - if (type != BPF_PROG_TYPE_SOCKET_FILTER
> && !capable(CAP_SYS_ADMIN))
> + if (type != BPF_PROG_TYPE_SOCKET_FILTER
> + && type != BPF_PROG_TYPE_CGROUP_SKB
> + && !capable(CAP_SYS_ADMIN))

checkpatch.pl prefer put && at end of line

>   return -EPERM;
> 
>   /* plain bpf_prog allocation */
> --
> 2.7.4

[PATCH net-next 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Chenbo Feng]

From: Chenbo Feng 

Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter program to make
the capability requirement consistent.

Signed-off-by: Chenbo Feng 
---
 kernel/bpf/syscall.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 265a0d8..021c0b4 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -815,7 +815,9 @@ static int bpf_prog_load(union bpf_attr *attr)
attr->kern_version != LINUX_VERSION_CODE)
return -EINVAL;
 
-   if (type != BPF_PROG_TYPE_SOCKET_FILTER && !capable(CAP_SYS_ADMIN))
+   if (type != BPF_PROG_TYPE_SOCKET_FILTER
+   && type != BPF_PROG_TYPE_CGROUP_SKB
+   && !capable(CAP_SYS_ADMIN))
return -EPERM;
 
/* plain bpf_prog allocation */
-- 
2.7.4