From: Andrii Nakryiko <andrii@kernel.org>
To: <bpf@vger.kernel.org>, <ast@kernel.org>, <daniel@iogearbox.net>,
<martin.lau@kernel.org>
Cc: <andrii@kernel.org>, <kernel-team@meta.com>
Subject: [PATCH bpf-next 0/3] Relax checks for unprivileged bpf() commands
Date: Wed, 24 May 2023 15:54:18 -0700 [thread overview]
Message-ID: <20230524225421.1587859-1-andrii@kernel.org> (raw)
During last relaxation of bpf syscall's capabilities checks ([0]), the model
of FD-based ownership was established: if process through whatever means got
FD for some BPF object (map, prog, etc), it should be able to perform
operations on this object without extra CAP_SYS_ADMIN or CAP_BPF capabilities.
It seems like we missed a few cases, though, in which we are still enforcing extra caps for no good reason, even though operations are not really unsafe and/or do not require any system-wide capabilities:
- BPF_MAP_FREEZE command;
- GET_NEXT_ID family of commands;
- GET_INFO_BY_FD command has extra bpf_capable()-based sanitization.
This patch set is removing these unnecessary checks. MAP_FREEZE and INFO_BY_FD
are deviating from the "if you own FD, you can work with BPF object".
GET_NEXT_ID is a completely safe and unprivileged operation that returns just
IDs of BPF objects. One still needs to go through CAP_SYS_ADMIN-guarded
GET_FD_BY_ID command to get ahold of FD to do any operation on corresponding
BPF object. As such, it seems completely safe to drop CAP_SYS_ADMIN checks for
GET_NEXT_ID.
[0] https://lore.kernel.org/all/1652970334-30510-2-git-send-email-alan.maguire@oracle.com/
Andrii Nakryiko (3):
bpf: drop unnecessary bpf_capable() check in BPF_MAP_FREEZE command
bpf: don't require CAP_SYS_ADMIN for getting NEXT_ID
bpf: don't require bpf_capable() for GET_INFO_BY_FD
kernel/bpf/syscall.c | 23 ++++---------------
.../bpf/prog_tests/unpriv_bpf_disabled.c | 15 ++----------
2 files changed, 7 insertions(+), 31 deletions(-)
--
2.34.1
next reply other threads:[~2023-05-24 22:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-24 22:54 Andrii Nakryiko [this message]
2023-05-24 22:54 ` [PATCH bpf-next 1/3] bpf: drop unnecessary bpf_capable() check in BPF_MAP_FREEZE command Andrii Nakryiko
2023-05-24 22:54 ` [PATCH bpf-next 2/3] bpf: don't require CAP_SYS_ADMIN for getting NEXT_ID Andrii Nakryiko
2023-05-25 3:22 ` Alexei Starovoitov
2023-05-25 17:04 ` Andrii Nakryiko
2023-05-25 17:11 ` Alexei Starovoitov
2023-05-25 17:30 ` Andrii Nakryiko
2023-05-24 22:54 ` [PATCH bpf-next 3/3] bpf: don't require bpf_capable() for GET_INFO_BY_FD Andrii Nakryiko
2023-05-25 13:13 ` Daniel Borkmann
2023-05-25 17:20 ` Andrii Nakryiko
2023-05-25 19:49 ` Daniel Borkmann
2023-05-25 17:20 ` [PATCH bpf-next 0/3] Relax checks for unprivileged bpf() commands patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230524225421.1587859-1-andrii@kernel.org \
--to=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).