From: Andy Lutomirski <luto@kernel.org>
To: LKML <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Song Liu <songliubraving@fb.com>,
Kees Cook <keescook@chromium.org>,
Networking <netdev@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Kernel Team <Kernel-team@fb.com>,
Lorenz Bauer <lmb@cloudflare.com>, Jann Horn <jannh@google.com>,
Greg KH <gregkh@linuxfoundation.org>,
Linux API <linux-api@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>
Subject: [WIP 4/4] bpf: Allow creating all program types without privilege
Date: Mon, 5 Aug 2019 14:29:05 -0700 [thread overview]
Message-ID: <9e77ae06243555a96a3fd5e854f61d24823110c9.1565040372.git.luto@kernel.org> (raw)
In-Reply-To: <cover.1565040372.git.luto@kernel.org>
This doesn't let you *run* the programs except in test mode, so it should
be safe. Famous last words.
This assumes that the check-privilege-to-call-privileged-functions
patch actually catches all the cases and that there's nothing else
that should need privilege lurking in the type-specific verifiers.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
kernel/bpf/syscall.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 23f8f89d2a86..730afa2be786 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1649,8 +1649,7 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
attr->insn_cnt > (capable(CAP_SYS_ADMIN) ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
return -E2BIG;
if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
- type != BPF_PROG_TYPE_CGROUP_SKB &&
- !capable(CAP_SYS_ADMIN))
+ type != BPF_PROG_TYPE_CGROUP_SKB)
return -EPERM;
bpf_prog_load_fixup_attach_type(attr);
--
2.21.0
prev parent reply other threads:[~2019-08-05 21:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-05 21:29 [WIP 0/4] bpf: A bit of progress toward unprivileged use Andy Lutomirski
2019-08-05 21:29 ` [WIP 1/4] bpf: Respect persistent map and prog access modes Andy Lutomirski
2019-08-05 21:29 ` [WIP 2/4] bpf: Don't require mknod() permission to pin an object Andy Lutomirski
2019-08-05 21:29 ` [WIP 3/4] bpf: Add a way to mark functions as requiring privilege Andy Lutomirski
2019-08-05 21:29 ` Andy Lutomirski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e77ae06243555a96a3fd5e854f61d24823110c9.1565040372.git.luto@kernel.org \
--to=luto@kernel.org \
--cc=Kernel-team@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).