From patchwork Mon Nov 20 04:55:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 839424 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="wGTuBOTF"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ygGdV6cCRz9s1h for ; Mon, 20 Nov 2017 15:56:14 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751181AbdKTE4L (ORCPT ); Sun, 19 Nov 2017 23:56:11 -0500 Received: from mail-pg0-f67.google.com ([74.125.83.67]:39288 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751147AbdKTE4J (ORCPT ); Sun, 19 Nov 2017 23:56:09 -0500 Received: by mail-pg0-f67.google.com with SMTP id 70so6413942pgf.6 for ; Sun, 19 Nov 2017 20:56:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7LdUuDX6sqJaitUbsd/LGfvUWvr8/pZtc11xUAXZ++E=; b=wGTuBOTFv1sXMfBhDjiGbvHlc6U6zo4fndZ/gcXVM2bNsvEODAPhsgDoFH9Vxj0i2V oBjKFK9jfw5bFkyeBiq8FMkfkoBu8CGUDi8jtFbwGMU/guK+h/zqmwftUT3X3KBMKb0p 472QFoEEIzEvnjSWEBx41zomaxXJLWyWj9SfEorY/+wCT1fLluFKf3waO0KP4bWVscNZ y09bUDP2fgbY42XR536Ufd3ao+RXbaO+sdF27v1bnnpTcb62mspHajn8xllf907yvCHj AWSMKO8em0k143ubbKidnz4lpcikkNKFBJVwGTfIsd6cMo47YGN2mZ1x5L+GrzyUmISP A8Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7LdUuDX6sqJaitUbsd/LGfvUWvr8/pZtc11xUAXZ++E=; b=XHzDwfAt/oZxSEOJO4QZhVQOSlg1chJV5aXsEIpudon6rmgj1iz4FQ+qo0OJ+X/+8E kCE4onj/7LqxvMbcKUQmS6/1zqu05u+YkyRlk4n9baSUoLnJ7PPgtHUUaF4JuF+ucQU6 oMiWQxNf213znCHVSYJ4dGZea3d5wKe1tZArgm4yv5NsMIMOpUXuKhkHbUj71/5vu0zX 7Fabqp0EbWnXPZxK2Qw1aOWERRJN4rD/ycMytaWPWOxMNvvBRAek3R8wM+YShNYMpl/w 6NcVQzqPElHDF5zv7segulaiQaWV99t+6n2Wfx1etCmpqNHPoafLs0bUsvuxrpMwblbu 35Yw== X-Gm-Message-State: AJaThX4JZWek4oKHIDoXU53A2BVMGhlFutarWPkLGFj7whl1NMGrD1K4 OKc98UwhvVeaxJnYyZnxSVXxl2sy X-Google-Smtp-Source: AGs4zMZYSCCK0hjt0VYZrzfgAZvzJPeT2chARZM2uKMAN6VV2UmHJ9r1AYhe8R25hR3Khjx5TrWczg== X-Received: by 10.99.116.17 with SMTP id p17mr12001207pgc.385.1511153768631; Sun, 19 Nov 2017 20:56:08 -0800 (PST) Received: from jkicinski-Precision-T1700.netronome.com ([75.53.12.129]) by smtp.gmail.com with ESMTPSA id e8sm17598270pfk.6.2017.11.19.20.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 19 Nov 2017 20:56:08 -0800 (PST) From: Jakub Kicinski To: netdev@vger.kernel.org Cc: alexei.starovoitov@gmail.com, daniel@iogearbox.net, Jakub Kicinski Subject: [PATCH net 02/10] bpf: offload: limit offload to cls_bpf and xdp programs only Date: Sun, 19 Nov 2017 20:55:14 -0800 Message-Id: <20171120045522.2188-3-jakub.kicinski@netronome.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171120045522.2188-1-jakub.kicinski@netronome.com> References: <20171120045522.2188-1-jakub.kicinski@netronome.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We are currently only allowing attachment of device-bound cls_bpf and XDP programs. Make this restriction explicit in the BPF offload code. This way we can potentially reuse the ifindex field in the future. Since XDP and cls_bpf programs can only be loaded by admin, we can drop the explicit capability check from offload code. Signed-off-by: Jakub Kicinski Reviewed-by: Quentin Monnet Acked-by: Alexei Starovoitov Acked-by: Daniel Borkmann --- kernel/bpf/offload.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/offload.c b/kernel/bpf/offload.c index fd696d3dd429..ac187f9ee182 100644 --- a/kernel/bpf/offload.c +++ b/kernel/bpf/offload.c @@ -14,8 +14,9 @@ int bpf_prog_offload_init(struct bpf_prog *prog, union bpf_attr *attr) struct net *net = current->nsproxy->net_ns; struct bpf_dev_offload *offload; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; + if (attr->prog_type != BPF_PROG_TYPE_SCHED_CLS && + attr->prog_type != BPF_PROG_TYPE_XDP) + return -EINVAL; if (attr->prog_flags) return -EINVAL;