From patchwork Thu Jun 1 01:16:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chenbo Feng X-Patchwork-Id: 769460 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wdTv30KLgz9s2G for ; Thu, 1 Jun 2017 11:16:15 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Lprd6u+k"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751202AbdFABQO (ORCPT ); Wed, 31 May 2017 21:16:14 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:36046 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751088AbdFABQL (ORCPT ); Wed, 31 May 2017 21:16:11 -0400 Received: by mail-pf0-f194.google.com with SMTP id n23so5275271pfb.3 for ; Wed, 31 May 2017 18:16:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=AcTAOcgnwJTvsf6EjX4S31DN/tnoPwbN3GJ/OdrV8Dc=; b=Lprd6u+kvyw0a1LyA7JKKE+dVnScHd573HGkVSRbgslt5ljwL2q1araZ0YeorUoKYY 0cL9qq9AWb6OGcLXMXK8/TbJyEaqbUPwNpl4SI6KA6QT3NnEsk2HEU4clCliUTjvV1ja XBgBnGuq0Idnetw10ySfdBJyTei6gf72se9jAwiki5m04Szo2l0JReCtoALsIzFH1ziN vJLRKkVF1EDQLHZqX+uSVP0eBaDin0qcwZAsTmrhxAYo/YlJWERM2XuoeqpCGFsSOh7f q28RgN8ZkPaK0pBH7nnqexr6TFyKbIyAMysYhn1H6Ihqy+RNRhMfjsXHEoB8pIQFyG+X gdfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=AcTAOcgnwJTvsf6EjX4S31DN/tnoPwbN3GJ/OdrV8Dc=; b=Z1hmG7Y+jn3R1a3A/DSeDQO5HYeAeHPlFlF9ghTGLxLX8yhofimM7x/KXZKmoVKGFy M3m39U9TqTi1VgcEKYgi8BMRT0cBcnqOjI49DeJed96IStPDPjkPkfo4y1tVM1uO2uQR nJcKkn3i11jBk2gpCyHuuANe4YoUt8uoBfjC6L9W6u+ErMv7dkPAwA54KucRIFGjviYM dq+liQhbixPii+8VsODVJrbQqwQOB60cals5C/rYoQtDB3horXkwt5rPpcomw7CZUp/d Puo0nEKWw5cX/Hl/I65ahejrUdJWnunpHxAB0NE2Kt0Yj55qz/5SqLrNVSTLek0Mh8mz dXHQ== X-Gm-Message-State: AODbwcC/iHrBhdwEcBEJQTjyhUWf5GPdinwj98kMBBEpKsBSYYxyEm5y ilKaFdbK4d7hN8S7ijc= X-Received: by 10.99.36.129 with SMTP id k123mr24516280pgk.230.1496279771075; Wed, 31 May 2017 18:16:11 -0700 (PDT) Received: from localhost.localdomain ([100.98.124.241]) by smtp.gmail.com with ESMTPSA id c7sm34982145pfk.103.2017.05.31.18.16.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 31 May 2017 18:16:10 -0700 (PDT) From: Chenbo Feng To: netdev@vger.kernel.org, David Miller Cc: Lorenzo Colitti , Chenbo Feng Subject: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program Date: Wed, 31 May 2017 18:16:00 -0700 Message-Id: <1496279760-20996-2-git-send-email-chenbofeng.kernel@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1496279760-20996-1-git-send-email-chenbofeng.kernel@gmail.com> References: <1496279760-20996-1-git-send-email-chenbofeng.kernel@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Chenbo Feng Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter program to make the capability requirement consistent. Change since v1: Change the code style in order to be compliant with checkpatch.pl preference Signed-off-by: Chenbo Feng Acked-by: Alexei Starovoitov --- kernel/bpf/syscall.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 265a0d8..59da103 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -815,7 +815,9 @@ static int bpf_prog_load(union bpf_attr *attr) attr->kern_version != LINUX_VERSION_CODE) return -EINVAL; - if (type != BPF_PROG_TYPE_SOCKET_FILTER && !capable(CAP_SYS_ADMIN)) + if (type != BPF_PROG_TYPE_SOCKET_FILTER && + type != BPF_PROG_TYPE_CGROUP_SKB && + !capable(CAP_SYS_ADMIN)) return -EPERM; /* plain bpf_prog allocation */