Re: [PATCH net-next 4/6] bpf: track if the bpf program was loaded with SYS_ADMIN capabilities

Wed, 26 Apr 2017 14:05:17 -0700 

On 04/26/2017 08:24 PM, Hannes Frederic Sowa wrote:

Signed-off-by: Hannes Frederic Sowa <[email protected]>


Ahh, looks this got swapped with 3/6.


---
  include/linux/filter.h | 6 ++++--
  kernel/bpf/core.c      | 4 +++-
  kernel/bpf/syscall.c   | 7 ++++---
  kernel/bpf/verifier.c  | 4 ++--
  net/core/filter.c      | 6 +++---
  5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 63624c619e371b..635311f57bf24f 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -413,7 +413,8 @@ struct bpf_prog {
                                locked:1,       /* Program image locked? */
                                gpl_compatible:1, /* Is filter GPL compatible? 
*/
                                cb_access:1,    /* Is control block accessed? */
-                               dst_needed:1;   /* Do we need dst entry? */
+                               dst_needed:1,   /* Do we need dst entry? */
+                               priv_cap_sys_admin:1; /* Where we loaded as 
sys_admin? */
        kmemcheck_bitfield_end(meta);
        enum bpf_prog_type      type;           /* Type of BPF program */

[...]

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6f8b6ed690be93..24c9dac374770f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3488,7 +3488,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr 
*attr)
        if (ret < 0)
                goto skip_full_check;

-       env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
+       env->allow_ptr_leaks = env->prog->priv_cap_sys_admin;

        ret = do_check(env);

@@ -3589,7 +3589,7 @@ int bpf_analyzer(struct bpf_prog *prog, const struct 
bpf_ext_analyzer_ops *ops,
        if (ret < 0)
                goto skip_full_check;

-       env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
+       env->allow_ptr_leaks = prog->priv_cap_sys_admin;

        ret = do_check(env);

diff --git a/net/core/filter.c b/net/core/filter.c
index 9a37860a80fc78..dc020d40bb770a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1100,7 +1100,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct 
sock_fprog_kern *fprog)
        if (!bpf_check_basics_ok(fprog->filter, fprog->len))
                return -EINVAL;

-       fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
+       fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0, false);
        if (!fp)
                return -ENOMEM;



Did you check that transferring allow_ptr_leaks doesn't have a side
effect on the nfp JIT? I believe it can also do cbpf migrations to
a certain extend.






















					Reply via email to