From: Daniel Borkmann <daniel@iogearbox.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Chenbo Feng <chenbofeng.kernel@gmail.com>
Cc: netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Lorenzo Colitti <lorenzo@google.com>,
Chenbo Feng <fengc@google.com>
Subject: Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program
Date: Tue, 06 Jun 2017 18:56:29 +0200 [thread overview]
Message-ID: <5936DEBD.2050401@iogearbox.net> (raw)
In-Reply-To: <20170601234235.iwu55crijtxuq5mp@ast-mbp>
On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
> On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fengc@google.com>
>>
>> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
>> capability while attaching the program to a cgroup only requires the
>> user have CAP_NET_ADMIN privilege. We can escape the capability
>> check when load the program just like socket filter program to make
>> the capability requirement consistent.
>>
>> Change since v1:
>> Change the code style in order to be compliant with checkpatch.pl
>> preference
>>
>> Signed-off-by: Chenbo Feng <fengc@google.com>
>
> as far as I can see they're indeed the same as socket filters, so
> Acked-by: Alexei Starovoitov <ast@kernel.org>
>
> but I don't quite understand how it helps, since as you said
> attaching such unpriv fd to cgroup still requires root.
> Do you have more patches to follow?
Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
then we must at least also zero out the not-yet-initialized memory
for the mac header for egress case in __cgroup_bpf_run_filter_skb().
next prev parent reply other threads:[~2017-06-06 16:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-01 1:15 [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff Chenbo Feng
2017-06-01 1:16 ` [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program Chenbo Feng
2017-06-01 23:42 ` Alexei Starovoitov
[not found] ` <CAMOXUJkHsj8c6Yc8FSvJsFt3vPcf-UKV0PPVWY8ewcZuA2vUwA@mail.gmail.com>
2017-06-02 1:58 ` Alexei Starovoitov
2017-06-06 16:56 ` Daniel Borkmann [this message]
2017-06-06 22:44 ` Chenbo Feng
2017-06-07 15:57 ` Daniel Borkmann
2017-06-02 18:25 ` David Miller
2017-06-01 23:38 ` [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff Alexei Starovoitov
2017-06-02 18:24 ` David Miller
2017-06-06 12:04 ` Daniel Borkmann
2017-06-06 16:40 ` Daniel Borkmann
[not found] ` <CAMOXUJ=mUKvMMFnjfOUHuGms+p2fE+NkwEcORdV9eLBsFwyREQ@mail.gmail.com>
2017-06-06 20:26 ` David Miller
2017-06-06 20:27 ` Daniel Borkmann
2017-06-06 20:40 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5936DEBD.2050401@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=chenbofeng.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=fengc@google.com \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.