From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=3.0 tests=DKIM_ADSP_ALL,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06B33C04AB6 for ; Tue, 28 May 2019 16:59:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B54EE21734 for ; Tue, 28 May 2019 16:59:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=domdv.de header.i=@domdv.de header.b="dl3QIQtl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727021AbfE1Q7E (ORCPT ); Tue, 28 May 2019 12:59:04 -0400 Received: from hermes.domdv.de ([193.102.202.1]:3110 "EHLO hermes.domdv.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727003AbfE1Q7E (ORCPT ); Tue, 28 May 2019 12:59:04 -0400 X-Greylist: delayed 327 seconds by postgrey-1.27 at vger.kernel.org; Tue, 28 May 2019 12:59:03 EDT DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=domdv.de; s=dk3; h=Content-Transfer-Encoding:MIME-Version:Content-Type:Date:To:From: Subject:Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=W3bTiEXJe02XZR8c0KAc2dB3IT0sCWBL02aXsHcqIaE=; b=dl3QIQtlxoUyldCY1x//3gwIHN IYLDJF6hAW2CNiTKyEVCjaF/8ucNS3agGWOkJmgBmlDGu9fHtmk8+oWFQ0q2xpP1k8+32KNRl4cHI txr9jBvOTMzT6y7p6xIfuAFmhTdUAZaZH9VCzl6uLsVimauDvdgcJltYjXopwR1m2RDU=; Received: from [fd06:8443:81a1:74b0::212] (port=4962 helo=castor.lan.domdv.de) by zeus.domdv.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1hVfM0-00034K-K3; Tue, 28 May 2019 18:53:36 +0200 Received: from woody.lan.domdv.de ([10.1.9.28] helo=host028-server-9.lan.domdv.de) by castor.lan.domdv.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1hVfLM-0003gA-GM; Tue, 28 May 2019 18:52:56 +0200 Message-ID: <56c1f2f89428b49dad615fc13cc8c120d4ca4abf.camel@domdv.de> Subject: [RFC][PATCH kernel_bpf] honor CAP_NET_ADMIN for BPF_PROG_LOAD From: Andreas Steinmetz To: netdev@vger.kernel.org, bpf@vger.kernel.org Date: Tue, 28 May 2019 18:53:10 +0200 Organization: D.O.M. Datenverarbeitung GmbH Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.5 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org [sorry for crossposting but this affects both lists] BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_XDP should be allowed for CAP_NET_ADMIN capability. Nearly everything one can do with these program types can be done some other way with CAP_NET_ADMIN capability (e.g. NFQUEUE), but only slower. This change is similar in behaviour to the /proc/sys/net CAP_NET_ADMIN exemption. Overall chances are of increased security as network related applications do no longer require to keep CAP_SYS_ADMIN admin capability for network related eBPF operations. It may well be that other program types than BPF_PROG_TYPE_XDP and BPF_PROG_TYPE_SCHED_CLS do need the same exemption, though I do not have sufficient knowledge of other program types to be able to decide this. Preloading BPF programs is not possible in case of application modified or generated BPF programs, so this is no alternative. The verifier does prevent the BPF program from doing harmful things anyway. Signed-off-by: Andreas Steinmetz --- a/kernel/bpf/syscall.c 2019-05-28 18:00:40.472841432 +0200 +++ b/kernel/bpf/syscall.c 2019-05-28 18:17:50.162811510 +0200 @@ -1561,8 +1561,13 @@ static int bpf_prog_load(union bpf_attr return -E2BIG; if (type != BPF_PROG_TYPE_SOCKET_FILTER && type != BPF_PROG_TYPE_CGROUP_SKB && - !capable(CAP_SYS_ADMIN)) - return -EPERM; + !capable(CAP_SYS_ADMIN)) { + if (type != BPF_PROG_TYPE_SCHED_CLS && + type != BPF_PROG_TYPE_XDP) + return -EPERM; + if(!capable(CAP_NET_ADMIN)) + return -EPERM; + } bpf_prog_load_fixup_attach_type(attr); if (bpf_prog_load_check_attach_type(type, attr->expected_attach_type))