diff mbox series

[net,4/5] bpf: require CAP_NET_ADMIN when using sockmap maps

Message ID 150833588223.3588.4249180141887196078.stgit@john-XPS-13-9360
State Accepted, archived
Delegated to: David Miller
Headers show
Series sockmap fixes for net | expand

Commit Message

John Fastabend Oct. 18, 2017, 2:11 p.m. UTC 
From: John Fastabend <john.fastabend@gmail.com>

Restrict sockmap to CAP_NET_ADMIN.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
 kernel/bpf/sockmap.c |    3 +++
 1 file changed, 3 insertions(+)

Comments

Alexei Starovoitov Oct. 18, 2017, 5:34 p.m. UTC | #1 
On Wed, Oct 18, 2017 at 07:11:22AM -0700, John Fastabend wrote:
> From: John Fastabend <john.fastabend@gmail.com>
> 
> Restrict sockmap to CAP_NET_ADMIN.
> 
> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>

Acked-by: Alexei Starovoitov <ast@kernel.org>
diff mbox series

Patch

diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index beaabb2..2b6eb35 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -486,6 +486,9 @@  static struct bpf_map *sock_map_alloc(union bpf_attr *attr)
 	int err = -EINVAL;
 	u64 cost;
 
+	if (!capable(CAP_NET_ADMIN))
+		return ERR_PTR(-EPERM);
+
 	/* check sanity of attributes */
 	if (attr->max_entries == 0 || attr->key_size != 4 ||
 	    attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE)