From: Stanislav Fomichev <sdf@google.com>
To: Andrii Nakryiko <andrii@kernel.org>
Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
martin.lau@kernel.org, kernel-team@meta.com
Subject: Re: [PATCH bpf-next 01/10] bpf: move unprivileged checks into map_create() and bpf_prog_load()
Date: Wed, 3 May 2023 11:28:48 -0700 [thread overview]
Message-ID: <ZFKn4JjmiGTHyWpj@google.com> (raw)
In-Reply-To: <20230502230619.2592406-2-andrii@kernel.org>
On 05/02, Andrii Nakryiko wrote:
> Make each bpf() syscall command a bit more self-contained, making it
> easier to further enhance it. We move sysctl_unprivileged_bpf_disabled
> handling down to map_create() and bpf_prog_load(), two special commands
> in this regard.
>
> Also swap the order of checks, calling bpf_capable() only if
> sysctl_unprivileged_bpf_disabled is true, avoiding unnecessary audit
> messages.
>
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> ---
> kernel/bpf/syscall.c | 37 ++++++++++++++++++++++---------------
> 1 file changed, 22 insertions(+), 15 deletions(-)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 14f39c1e573e..d5009fafe0f4 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1132,6 +1132,17 @@ static int map_create(union bpf_attr *attr)
> int f_flags;
> int err;
[..]
> + /* Intent here is for unprivileged_bpf_disabled to block key object
> + * creation commands for unprivileged users; other actions depend
> + * of fd availability and access to bpffs, so are dependent on
> + * object creation success. Capabilities are later verified for
> + * operations such as load and map create, so even with unprivileged
> + * BPF disabled, capability checks are still carried out for these
> + * and other operations.
> + */
> + if (sysctl_unprivileged_bpf_disabled && !bpf_capable())
> + return -EPERM;
> +
Does it make sense to have something like unpriv_bpf_capable() to avoid
the copy-paste?
next prev parent reply other threads:[~2023-05-03 18:28 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-02 23:06 [PATCH bpf-next 00/10] Centralize BPF permission checks Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 01/10] bpf: move unprivileged checks into map_create() and bpf_prog_load() Andrii Nakryiko
2023-05-03 18:28 ` Stanislav Fomichev [this message]
2023-05-03 19:04 ` Andrii Nakryiko
2023-05-03 22:33 ` Stanislav Fomichev
2023-05-04 18:52 ` Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 02/10] bpf: inline map creation logic in map_create() function Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 03/10] bpf: centralize permissions checks for all BPF map types Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 04/10] bpf: remember if bpf_map was unprivileged and use that consistently Andrii Nakryiko
2023-05-04 20:05 ` Alexei Starovoitov
2023-05-04 22:51 ` Andrii Nakryiko
2023-05-04 22:54 ` Alexei Starovoitov
2023-05-04 23:06 ` Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 05/10] bpf: drop unnecessary bpf_capable() check in BPF_MAP_FREEZE command Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 06/10] bpf: keep BPF_PROG_LOAD permission checks clear of validations Andrii Nakryiko
2023-05-04 20:12 ` Alexei Starovoitov
2023-05-04 22:51 ` Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 07/10] bpf: record effective capabilities at BPF prog load time Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 08/10] bpf: use recorded BPF prog effective caps when fetching helper protos Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 09/10] bpf: use recorded bpf_capable flag in JIT code Andrii Nakryiko
2023-05-04 22:09 ` Alexei Starovoitov
2023-05-04 22:51 ` Andrii Nakryiko
2023-05-02 23:06 ` [PATCH bpf-next 10/10] bpf: consistenly use program's recorded capabilities in BPF verifier Andrii Nakryiko
2023-05-04 22:20 ` Alexei Starovoitov
2023-05-04 22:51 ` Andrii Nakryiko
2023-05-05 19:08 ` Andrii Nakryiko
2023-05-05 19:55 ` Alexei Starovoitov
2023-05-11 16:21 ` Alexei Starovoitov
2023-05-15 16:42 ` Andrii Nakryiko
2023-05-15 18:38 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFKn4JjmiGTHyWpj@google.com \
--to=sdf@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.