[PATCH bpf-next 1/2] bpf: allow socket_filter programs to use bpf_prog_test_run

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexei Starovoitov <ast@kernel.org>
To: <davem@davemloft.net>
Cc: <daniel@iogearbox.net>, <netdev@vger.kernel.org>, <kernel-team@fb.com>
Subject: [PATCH bpf-next 1/2] bpf: allow socket_filter programs to use bpf_prog_test_run
Date: Wed, 17 Jan 2018 16:52:02 -0800	[thread overview]
Message-ID: <20180118005203.1978645-2-ast@kernel.org> (raw)
In-Reply-To: <20180118005203.1978645-1-ast@kernel.org>

in order to improve test coverage allow socket_filter program type
to be run via bpf_prog_test_run command.
Since such programs can be loaded by non-root tighten
permissions for bpf_prog_test_run to be root only
to avoid surprises.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/syscall.c | 2 ++
 net/core/filter.c    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index c691b9e972e3..08ca42b1b916 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1504,6 +1504,8 @@ static int bpf_prog_test_run(const union bpf_attr *attr,
 	struct bpf_prog *prog;
 	int ret = -ENOTSUPP;
 
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (CHECK_ATTR(BPF_PROG_TEST_RUN))
 		return -EINVAL;
 
diff --git a/net/core/filter.c b/net/core/filter.c
index db2ee8c7e1bd..30fafaaa90fa 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4526,6 +4526,7 @@ const struct bpf_verifier_ops sk_filter_verifier_ops = {
 };
 
 const struct bpf_prog_ops sk_filter_prog_ops = {
+	.test_run		= bpf_prog_test_run_skb,
 };
 
 const struct bpf_verifier_ops tc_cls_act_verifier_ops = {
-- 
2.9.5

next prev parent reply	other threads:[~2018-01-18  0:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-18  0:52 [PATCH bpf-next 0/2] bpf: increase bpf test coverage Alexei Starovoitov
2018-01-18  0:52 ` Alexei Starovoitov [this message]
2018-01-18  0:52 ` [PATCH bpf-next 2/2] selftests/bpf: make test_verifier run most programs Alexei Starovoitov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c691b9e972e dfblob:08ca42b1b91 dfblob:db2ee8c7e1b
dfblob:30fafaaa90f )
 OR (
bs:"[PATCH bpf-next 1/2] bpf: allow socket_filter programs to use bpf_prog_test_run" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180118005203.1978645-2-ast@kernel.org \
    --to=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=kernel-team@fb.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.