* [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given @ 2026-01-24 21:43 Guillaume GONNET 2026-01-24 22:06 ` bot+bpf-ci 2026-01-26 13:24 ` Daniel Borkmann 0 siblings, 2 replies; 16+ messages in thread From: Guillaume GONNET @ 2026-01-24 21:43 UTC (permalink / raw) To: bpf; +Cc: ast, daniel, john.fastabend, Guillaume GONNET Since c8644cd0e, BPF permissions are indirectly checked by having a program FD or bpffs ACL. When using BPF_PROG_DETACH command on TCX or netkit device, it's not required to provide a program FD. Instead, the program can be specified using a relative specifier (eg., BPF_F_AFTER). In this case, there is no permission check as there is no FD involved, so any user can execute that detach command. This is problematic when BPF is used to filter out packets not intended to user as it can just remove the filter from the network interface. For this reason, require CAP_NET_ADMIN or CAP_SYS_ADMIN in detach (only when the BPF program FD isn't provided). Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> --- kernel/bpf/syscall.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 3c5c03d43f5f..d1600aef6e03 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4563,6 +4563,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); + } else if (!bpf_net_capable()) { + return -EPERM; } } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) -- 2.34.1 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-24 21:43 [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given Guillaume GONNET @ 2026-01-24 22:06 ` bot+bpf-ci 2026-01-26 13:24 ` Daniel Borkmann 1 sibling, 0 replies; 16+ messages in thread From: bot+bpf-ci @ 2026-01-24 22:06 UTC (permalink / raw) To: ggonnet.linux, bpf Cc: ast, daniel, john.fastabend, ggonnet.linux, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai [-- Attachment #1: Type: text/plain, Size: 1765 bytes --] commit f4c6314e5e1b2eb9762846d92b6a8169e25de6d7 Author: Guillaume GONNET <ggonnet.linux@gmail.com> bpf: fix TCX/netkit detach permissions when prog FD isn't given This commit fixes a security issue where BPF_PROG_DETACH on TCX or netkit devices could be executed by any user when no program FD was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. > Since c8644cd0e, BPF permissions are indirectly checked by having a > program FD or bpffs ACL. When using BPF_PROG_DETACH command on TCX or > netkit device, it's not required to provide a program FD. Instead, the > program can be specified using a relative specifier (eg., BPF_F_AFTER). > > In this case, there is no permission check as there is no FD involved, > so any user can execute that detach command. This is problematic when > BPF is used to filter out packets not intended to user as it can just > remove the filter from the network interface. > > For this reason, require CAP_NET_ADMIN or CAP_SYS_ADMIN in detach (only > when the BPF program FD isn't provided). > > Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> The commit message references "c8644cd0e" as the commit that introduced the behavior being fixed. Should this commit include a Fixes: tag pointing to that commit? This would help with tracking the bug origin and determining stable backport scope, particularly since this is a security fix. Suggested addition: Fixes: c8644cd0e??? ("<subject of c8644cd0e>") --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21322248996 ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-24 21:43 [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given Guillaume GONNET 2026-01-24 22:06 ` bot+bpf-ci @ 2026-01-26 13:24 ` Daniel Borkmann 2026-01-26 17:03 ` Guillaume GONNET 2026-01-26 17:07 ` [PATCH bpf] " Guillaume GONNET 1 sibling, 2 replies; 16+ messages in thread From: Daniel Borkmann @ 2026-01-26 13:24 UTC (permalink / raw) To: Guillaume GONNET, bpf; +Cc: ast, john.fastabend, Martin KaFai Lau On 1/24/26 10:43 PM, Guillaume GONNET wrote: > Since c8644cd0e, BPF permissions are indirectly checked by having a > program FD or bpffs ACL. When using BPF_PROG_DETACH command on TCX or > netkit device, it's not required to provide a program FD. Instead, the > program can be specified using a relative specifier (eg., BPF_F_AFTER). > > In this case, there is no permission check as there is no FD involved, > so any user can execute that detach command. This is problematic when > BPF is used to filter out packets not intended to user as it can just > remove the filter from the network interface. > > For this reason, require CAP_NET_ADMIN or CAP_SYS_ADMIN in detach (only > when the BPF program FD isn't provided). > > Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> > --- $subj should be [PATCH bpf] and as the AI review flagged, Fixes tag would make sense so that this also gets backported into stable. > kernel/bpf/syscall.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 3c5c03d43f5f..d1600aef6e03 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -4563,6 +4563,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) > prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); > if (IS_ERR(prog)) > return PTR_ERR(prog); > + } else if (!bpf_net_capable()) { > + return -EPERM; > } > } else if (is_cgroup_prog_type(ptype, 0, false)) { > if (attr->attach_flags || attr->relative_fd) Looks reasonable to me. I looked at the other types as well, and as far as I can see for all the others you need to have a valid program fd in order to do anything in terms of modifications. Similar to BPF_LINK_{CREATE,UPDATE} and BPF_PROG_ATTACH. This assumes you either had a BPF token or CAP_NET_ADMIN at the time of the program creation or the correct permissions in BPF fs via BPF_OBJ_GET. Anyway, I would change this slightly into the below given the above makes assumptions that the detach is always about networking programs and it might not be in future. diff --git a/include/linux/bpf.h b/include/linux/bpf.h index e5be698256d1..ffd22321aa63 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2623,6 +2623,11 @@ static inline bool bpf_bypass_spec_v4(const struct bpf_token *token) bpf_token_capable(token, CAP_PERFMON); } +static inline bool bpf_net_capable(void) +{ + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); +} + int bpf_map_new_fd(struct bpf_map *map, int flags); int bpf_prog_new_fd(struct bpf_prog *prog); diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h index 929225f7b095..0b9f4caeeb0a 100644 --- a/include/linux/bpf_mprog.h +++ b/include/linux/bpf_mprog.h @@ -340,4 +340,14 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) return false; } } + +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_SCHED_CLS: + return bpf_net_capable(); + default: + return false; + } +} #endif /* __BPF_MPROG_H */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 4ff82144f885..4ca90020876f 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1366,11 +1366,6 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, return ret; } -static bool bpf_net_capable(void) -{ - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); -} - #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size /* called via syscall */ static int map_create(union bpf_attr *attr, bpfptr_t uattr) @@ -4565,7 +4562,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); - } + } else if (!bpf_mprog_detach_empty(ptype)) + return -EPERM; } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) return -EINVAL; ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 13:24 ` Daniel Borkmann @ 2026-01-26 17:03 ` Guillaume GONNET 2026-01-26 17:07 ` [PATCH bpf] " Guillaume GONNET 1 sibling, 0 replies; 16+ messages in thread From: Guillaume GONNET @ 2026-01-26 17:03 UTC (permalink / raw) To: Daniel Borkmann, bpf; +Cc: ast, john.fastabend, Martin KaFai Lau On Mon Jan 26, 2026 at 2:24 PM CET, Daniel Borkmann wrote: > $subj should be [PATCH bpf] and as the AI review flagged, Fixes tag would > make sense so that this also gets backported into stable. > Looks reasonable to me. I looked at the other types as well, and as far as I > can see for all the others you need to have a valid program fd in order to > do anything in terms of modifications. Similar to BPF_LINK_{CREATE,UPDATE} > and BPF_PROG_ATTACH. This assumes you either had a BPF token or CAP_NET_ADMIN > at the time of the program creation or the correct permissions in BPF fs > via BPF_OBJ_GET. Anyway, I would change this slightly into the below given > the above makes assumptions that the detach is always about networking > programs and it might not be in future. Ok, I will remake the patch integrating your suggestions. I also did look at the other program types and maybe there is also an issue with CGROUP program types, when BPF_F_ALLOW_MULTI flag isn't set. But you need a CGROUP FD and according to comments, it may be intentional to maintain backward compatibility. But I'm not sure as the commit af6eea574 with that CGROUP code is older than the one chaning BPF ACL (c8644cd0e). Concerning Fixes tag, I will add one but refering to the right commit that introduced this detach code (e420bed02507), not the one that I mentioned in my first patch. I will also use the AI commit message, which is much simpler. ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH bpf] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 13:24 ` Daniel Borkmann 2026-01-26 17:03 ` Guillaume GONNET @ 2026-01-26 17:07 ` Guillaume GONNET 2026-01-26 17:23 ` bot+bpf-ci 1 sibling, 1 reply; 16+ messages in thread From: Guillaume GONNET @ 2026-01-26 17:07 UTC (permalink / raw) To: daniel; +Cc: ast, bpf, ggonnet.linux, john.fastabend, martin.lau This commit fixes a security issue where BPF_PROG_DETACH on TCX or netkit devices could be executed by any user when no program FD was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> --- include/linux/bpf.h | 5 +++++ include/linux/bpf_mprog.h | 10 ++++++++++ kernel/bpf/syscall.c | 7 ++----- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4427c6e98331..5f59d1f173a2 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2742,6 +2742,11 @@ static inline bool bpf_bypass_spec_v4(const struct bpf_token *token) bpf_token_capable(token, CAP_PERFMON); } +static inline bool bpf_net_capable(void) +{ + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); +} + int bpf_map_new_fd(struct bpf_map *map, int flags); int bpf_prog_new_fd(struct bpf_prog *prog); diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h index 929225f7b095..0b9f4caeeb0a 100644 --- a/include/linux/bpf_mprog.h +++ b/include/linux/bpf_mprog.h @@ -340,4 +340,14 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) return false; } } + +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_SCHED_CLS: + return bpf_net_capable(); + default: + return false; + } +} #endif /* __BPF_MPROG_H */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b9184545c3fd..419d88bb5944 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1363,11 +1363,6 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, return ret; } -static bool bpf_net_capable(void) -{ - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); -} - #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size /* called via syscall */ static int map_create(union bpf_attr *attr, bpfptr_t uattr) @@ -4579,6 +4574,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); + } else if (!bpf_mprog_detach_empty(ptype)) + return -EPERM; } } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) -- 2.34.1 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:07 ` [PATCH bpf] " Guillaume GONNET @ 2026-01-26 17:23 ` bot+bpf-ci 2026-01-26 17:34 ` [PATCH] " Guillaume GONNET 2026-01-26 17:48 ` [PATCH bpf] " Daniel Borkmann 0 siblings, 2 replies; 16+ messages in thread From: bot+bpf-ci @ 2026-01-26 17:23 UTC (permalink / raw) To: ggonnet.linux, daniel Cc: ast, bpf, ggonnet.linux, john.fastabend, martin.lau, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai [-- Attachment #1: Type: text/plain, Size: 1964 bytes --] > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 4ff82144f885..9796fe5b9ab5 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c [ ... ] > @@ -4565,6 +4560,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) > prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); > if (IS_ERR(prog)) > return PTR_ERR(prog); > + } else if (!bpf_mprog_detach_empty(ptype)) > + return -EPERM; > } > } else if (is_cgroup_prog_type(ptype, 0, false)) { There appears to be a brace mismatch here that would prevent compilation. The original code structure was: if (attr->attach_bpf_fd) { prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); } The closing brace on its own line closed the if (attr->attach_bpf_fd) block. After this patch, the else-if clause closes that if block, but the original closing brace remains as a dangling brace: if (attr->attach_bpf_fd) { prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); } else if (!bpf_mprog_detach_empty(ptype)) return -EPERM; } <-- this brace has nothing to close This creates a mismatch where there are two opening braces (outer bpf_mprog_supported and inner attr->attach_bpf_fd) but three closing constructs. Was this patch tested to compile? The fix would be to remove the dangling closing brace on the context line, resulting in: if (attr->attach_bpf_fd) { prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); } else if (!bpf_mprog_detach_empty(ptype)) return -EPERM; --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21366799473 ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:23 ` bot+bpf-ci @ 2026-01-26 17:34 ` Guillaume GONNET 2026-01-26 21:40 ` patchwork-bot+netdevbpf ` (2 more replies) 2026-01-26 17:48 ` [PATCH bpf] " Daniel Borkmann 1 sibling, 3 replies; 16+ messages in thread From: Guillaume GONNET @ 2026-01-26 17:34 UTC (permalink / raw) To: daniel; +Cc: ast, bpf, ggonnet.linux, john.fastabend, martin.lau This commit fixes a security issue where BPF_PROG_DETACH on TCX or netkit devices could be executed by any user when no program FD was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> --- include/linux/bpf.h | 5 +++++ include/linux/bpf_mprog.h | 10 ++++++++++ kernel/bpf/syscall.c | 7 ++----- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4427c6e98331..5f59d1f173a2 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2742,6 +2742,11 @@ static inline bool bpf_bypass_spec_v4(const struct bpf_token *token) bpf_token_capable(token, CAP_PERFMON); } +static inline bool bpf_net_capable(void) +{ + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); +} + int bpf_map_new_fd(struct bpf_map *map, int flags); int bpf_prog_new_fd(struct bpf_prog *prog); diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h index 929225f7b095..0b9f4caeeb0a 100644 --- a/include/linux/bpf_mprog.h +++ b/include/linux/bpf_mprog.h @@ -340,4 +340,14 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) return false; } } + +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_SCHED_CLS: + return bpf_net_capable(); + default: + return false; + } +} #endif /* __BPF_MPROG_H */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b9184545c3fd..5f59dd47a5b1 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1363,11 +1363,6 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, return ret; } -static bool bpf_net_capable(void) -{ - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); -} - #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size /* called via syscall */ static int map_create(union bpf_attr *attr, bpfptr_t uattr) @@ -4579,6 +4574,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); + } else if (!bpf_mprog_detach_empty(ptype)) { + return -EPERM; } } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) -- 2.34.1 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:34 ` [PATCH] " Guillaume GONNET @ 2026-01-26 21:40 ` patchwork-bot+netdevbpf 2026-01-27 1:56 ` kernel test robot 2026-01-27 3:12 ` [PATCH] bpf: fix TCX/netkit detach permissions when prog FD " kernel test robot 2 siblings, 0 replies; 16+ messages in thread From: patchwork-bot+netdevbpf @ 2026-01-26 21:40 UTC (permalink / raw) To: Guillaume GONNET; +Cc: daniel, ast, bpf, john.fastabend, martin.lau Hello: This patch was applied to bpf/bpf-next.git (master) by Daniel Borkmann <daniel@iogearbox.net>: On Mon, 26 Jan 2026 18:34:31 +0100 you wrote: > This commit fixes a security issue where BPF_PROG_DETACH on TCX or netkit > devices could be executed by any user when no program FD was provided, > bypassing permission checks. The fix adds a capability check for > CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. > > Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") > Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com> > > [...] Here is the summary with links: - bpf: fix TCX/netkit detach permissions when prog FD isn't given https://git.kernel.org/bpf/bpf-next/c/95ffdbda5eec You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:34 ` [PATCH] " Guillaume GONNET 2026-01-26 21:40 ` patchwork-bot+netdevbpf @ 2026-01-27 1:56 ` kernel test robot [not found] ` <CAADnVQJNvx34irz6JYbmZvmaYU0AGRDcu8znsKjA_di798RisA@mail.gmail.com> 2026-01-27 3:12 ` [PATCH] bpf: fix TCX/netkit detach permissions when prog FD " kernel test robot 2 siblings, 1 reply; 16+ messages in thread From: kernel test robot @ 2026-01-27 1:56 UTC (permalink / raw) To: Guillaume GONNET, daniel Cc: oe-kbuild-all, ast, bpf, ggonnet.linux, john.fastabend, martin.lau Hi Guillaume, kernel test robot noticed the following build errors: [auto build test ERROR on bpf-next/net] [also build test ERROR on bpf/master linus/master v6.19-rc7 next-20260126] [cannot apply to bpf-next/master] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Guillaume-GONNET/bpf-fix-TCX-netkit-detach-permissions-when-prog-FD-isn-t-given/20260127-013722 base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git net patch link: https://lore.kernel.org/r/20260126173431.19825-1-ggonnet.linux%40gmail.com patch subject: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given config: sh-defconfig (https://download.01.org/0day-ci/archive/20260127/202601270903.NBB1BD47-lkp@intel.com/config) compiler: sh4-linux-gcc (GCC) 15.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260127/202601270903.NBB1BD47-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202601270903.NBB1BD47-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from include/net/tcx.h:7, from net/core/dev.c:114: include/linux/bpf_mprog.h: In function 'bpf_mprog_detach_empty': >> include/linux/bpf_mprog.h:348:24: error: implicit declaration of function 'bpf_net_capable'; did you mean 'sk_net_capable'? [-Wimplicit-function-declaration] 348 | return bpf_net_capable(); | ^~~~~~~~~~~~~~~ | sk_net_capable vim +348 include/linux/bpf_mprog.h 343 344 static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) 345 { 346 switch (type) { 347 case BPF_PROG_TYPE_SCHED_CLS: > 348 return bpf_net_capable(); -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <CAADnVQJNvx34irz6JYbmZvmaYU0AGRDcu8znsKjA_di798RisA@mail.gmail.com>]
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given [not found] ` <CAADnVQJNvx34irz6JYbmZvmaYU0AGRDcu8znsKjA_di798RisA@mail.gmail.com> @ 2026-01-27 2:29 ` Alexei Starovoitov 2026-01-27 8:26 ` [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd " Guillaume Gonnet 0 siblings, 1 reply; 16+ messages in thread From: Alexei Starovoitov @ 2026-01-27 2:29 UTC (permalink / raw) To: kernel test robot Cc: Guillaume GONNET, Daniel Borkmann, oe-kbuild-all, Alexei Starovoitov, bpf, John Fastabend, Martin KaFai Lau On Mon, Jan 26, 2026 at 6:11 PM Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > > On Mon, Jan 26, 2026 at 5:57 PM kernel test robot <lkp@intel.com> wrote: > > > > Hi Guillaume, > > > > kernel test robot noticed the following build errors: > > > > [auto build test ERROR on bpf-next/net] > > [also build test ERROR on bpf/master linus/master v6.19-rc7 next-20260126] > > [cannot apply to bpf-next/master] > > [If your patch is applied to the wrong git tree, kindly drop us a note. > > And when submitting patch, we suggest to use '--base' as documented in > > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > > > url: https://github.com/intel-lab-lkp/linux/commits/Guillaume-GONNET/bpf-fix-TCX-netkit-detach-permissions-when-prog-FD-isn-t-given/20260127-013722 > > base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git net > > patch link: https://lore.kernel.org/r/20260126173431.19825-1-ggonnet.linux%40gmail.com > > patch subject: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given > > config: sh-defconfig (https://download.01.org/0day-ci/archive/20260127/202601270903.NBB1BD47-lkp@intel.com/config) > > compiler: sh4-linux-gcc (GCC) 15.2.0 > > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260127/202601270903.NBB1BD47-lkp@intel.com/reproduce) > > > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > > the same patch/commit), kindly add following tags > > | Reported-by: kernel test robot <lkp@intel.com> > > | Closes: https://lore.kernel.org/oe-kbuild-all/202601270903.NBB1BD47-lkp@intel.com/ > > > > All errors (new ones prefixed by >>): > > > > In file included from include/net/tcx.h:7, > > from net/core/dev.c:114: > > include/linux/bpf_mprog.h: In function 'bpf_mprog_detach_empty': > > >> include/linux/bpf_mprog.h:348:24: error: implicit declaration of function 'bpf_net_capable'; did you mean 'sk_net_capable'? [-Wimplicit-function-declaration] > > 348 | return bpf_net_capable(); > > | ^~~~~~~~~~~~~~~ > > | sk_net_capable > > > > > > vim +348 include/linux/bpf_mprog.h > > > > 343 > > 344 static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) > > 345 { > > 346 switch (type) { > > 347 case BPF_PROG_TYPE_SCHED_CLS: > > > 348 return bpf_net_capable(); > I dropped the patch from bpf-next. Pls fix and resubmit. ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd isn't given 2026-01-27 2:29 ` Alexei Starovoitov @ 2026-01-27 8:26 ` Guillaume Gonnet 2026-01-27 13:10 ` Daniel Borkmann 0 siblings, 1 reply; 16+ messages in thread From: Guillaume Gonnet @ 2026-01-27 8:26 UTC (permalink / raw) To: alexei.starovoitov Cc: ast, bpf, daniel, ggonnet.linux, john.fastabend, martin.lau This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com> --- include/linux/bpf.h | 5 +++++ include/linux/bpf_mprog.h | 12 ++++++++++++ kernel/bpf/syscall.c | 7 ++----- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4427c6e98331..5f59d1f173a2 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2742,6 +2742,11 @@ static inline bool bpf_bypass_spec_v4(const struct bpf_token *token) bpf_token_capable(token, CAP_PERFMON); } +static inline bool bpf_net_capable(void) +{ + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); +} + int bpf_map_new_fd(struct bpf_map *map, int flags); int bpf_prog_new_fd(struct bpf_prog *prog); diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h index 929225f7b095..18d26ae6a5b6 100644 --- a/include/linux/bpf_mprog.h +++ b/include/linux/bpf_mprog.h @@ -340,4 +340,16 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) return false; } } + +#ifdef CONFIG_BPF_SYSCALL +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_SCHED_CLS: + return bpf_net_capable(); + default: + return false; + } +} +#endif /* CONFIG_BPF_SYSCALL */ #endif /* __BPF_MPROG_H */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b9184545c3fd..5f59dd47a5b1 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1363,11 +1363,6 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, return ret; } -static bool bpf_net_capable(void) -{ - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); -} - #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size /* called via syscall */ static int map_create(union bpf_attr *attr, bpfptr_t uattr) @@ -4579,6 +4574,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); + } else if (!bpf_mprog_detach_empty(ptype)) { + return -EPERM; } } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) -- 2.34.1 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd isn't given 2026-01-27 8:26 ` [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd " Guillaume Gonnet @ 2026-01-27 13:10 ` Daniel Borkmann 2026-01-27 16:02 ` [PATCH bpf v5] " Guillaume Gonnet 0 siblings, 1 reply; 16+ messages in thread From: Daniel Borkmann @ 2026-01-27 13:10 UTC (permalink / raw) To: Guillaume Gonnet, alexei.starovoitov; +Cc: ast, bpf, john.fastabend, martin.lau Hi Guillaume, On 1/27/26 9:26 AM, Guillaume Gonnet wrote: > This commit fixes a security issue where BPF_PROG_DETACH on tcx or > netkit devices could be executed by any user when no program fd was > provided, bypassing permission checks. The fix adds a capability > check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. > > Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") > Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com> > --- > include/linux/bpf.h | 5 +++++ > include/linux/bpf_mprog.h | 12 ++++++++++++ > kernel/bpf/syscall.c | 7 ++----- > 3 files changed, 19 insertions(+), 5 deletions(-) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 4427c6e98331..5f59d1f173a2 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -2742,6 +2742,11 @@ static inline bool bpf_bypass_spec_v4(const struct bpf_token *token) > bpf_token_capable(token, CAP_PERFMON); > } > > +static inline bool bpf_net_capable(void) > +{ > + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); > +} > + > int bpf_map_new_fd(struct bpf_map *map, int flags); > int bpf_prog_new_fd(struct bpf_prog *prog); > > diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h > index 929225f7b095..18d26ae6a5b6 100644 > --- a/include/linux/bpf_mprog.h > +++ b/include/linux/bpf_mprog.h > @@ -340,4 +340,16 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) > return false; > } > } > + > +#ifdef CONFIG_BPF_SYSCALL > +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) > +{ > + switch (type) { > + case BPF_PROG_TYPE_SCHED_CLS: > + return bpf_net_capable(); > + default: > + return false; > + } > +} > +#endif /* CONFIG_BPF_SYSCALL */ While this silences the kbuild bot issue, it would be better to move the bpf_net_capable() outside the ifdef CONFIG_BPF_SYSCALL in the bpf.h header given this is the actual underlying cause. Then we don't need the ifdef above, e.g. bpf_mprog_supported() does not have it either. Thanks, Daniel ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH bpf v5] bpf: Fix tcx/netkit detach permissions when prog fd isn't given 2026-01-27 13:10 ` Daniel Borkmann @ 2026-01-27 16:02 ` Guillaume Gonnet 2026-01-28 2:50 ` patchwork-bot+netdevbpf 0 siblings, 1 reply; 16+ messages in thread From: Guillaume Gonnet @ 2026-01-27 16:02 UTC (permalink / raw) To: daniel Cc: alexei.starovoitov, ast, bpf, ggonnet.linux, john.fastabend, martin.lau This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com> --- include/linux/bpf.h | 5 +++++ include/linux/bpf_mprog.h | 10 ++++++++++ kernel/bpf/syscall.c | 7 ++----- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4427c6e98331..9272a237cced 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -3362,6 +3362,11 @@ static inline void bpf_prog_report_arena_violation(bool write, unsigned long add } #endif /* CONFIG_BPF_SYSCALL */ +static inline bool bpf_net_capable(void) +{ + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); +} + static __always_inline int bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) { diff --git a/include/linux/bpf_mprog.h b/include/linux/bpf_mprog.h index 929225f7b095..0b9f4caeeb0a 100644 --- a/include/linux/bpf_mprog.h +++ b/include/linux/bpf_mprog.h @@ -340,4 +340,14 @@ static inline bool bpf_mprog_supported(enum bpf_prog_type type) return false; } } + +static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_SCHED_CLS: + return bpf_net_capable(); + default: + return false; + } +} #endif /* __BPF_MPROG_H */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b9184545c3fd..5f59dd47a5b1 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1363,11 +1363,6 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token, return ret; } -static bool bpf_net_capable(void) -{ - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); -} - #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size /* called via syscall */ static int map_create(union bpf_attr *attr, bpfptr_t uattr) @@ -4579,6 +4574,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); if (IS_ERR(prog)) return PTR_ERR(prog); + } else if (!bpf_mprog_detach_empty(ptype)) { + return -EPERM; } } else if (is_cgroup_prog_type(ptype, 0, false)) { if (attr->attach_flags || attr->relative_fd) -- 2.34.1 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf v5] bpf: Fix tcx/netkit detach permissions when prog fd isn't given 2026-01-27 16:02 ` [PATCH bpf v5] " Guillaume Gonnet @ 2026-01-28 2:50 ` patchwork-bot+netdevbpf 0 siblings, 0 replies; 16+ messages in thread From: patchwork-bot+netdevbpf @ 2026-01-28 2:50 UTC (permalink / raw) To: Guillaume Gonnet Cc: daniel, alexei.starovoitov, ast, bpf, john.fastabend, martin.lau Hello: This patch was applied to bpf/bpf-next.git (master) by Alexei Starovoitov <ast@kernel.org>: On Tue, 27 Jan 2026 17:02:00 +0100 you wrote: > This commit fixes a security issue where BPF_PROG_DETACH on tcx or > netkit devices could be executed by any user when no program fd was > provided, bypassing permission checks. The fix adds a capability > check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. > > Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") > Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com> > > [...] Here is the summary with links: - [bpf,v5] bpf: Fix tcx/netkit detach permissions when prog fd isn't given https://git.kernel.org/bpf/bpf-next/c/ae23bc81ddf7 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:34 ` [PATCH] " Guillaume GONNET 2026-01-26 21:40 ` patchwork-bot+netdevbpf 2026-01-27 1:56 ` kernel test robot @ 2026-01-27 3:12 ` kernel test robot 2 siblings, 0 replies; 16+ messages in thread From: kernel test robot @ 2026-01-27 3:12 UTC (permalink / raw) To: Guillaume GONNET, daniel Cc: llvm, oe-kbuild-all, ast, bpf, ggonnet.linux, john.fastabend, martin.lau Hi Guillaume, kernel test robot noticed the following build errors: [auto build test ERROR on bpf-next/net] [also build test ERROR on bpf/master linus/master v6.19-rc7 next-20260126] [cannot apply to bpf-next/master] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Guillaume-GONNET/bpf-fix-TCX-netkit-detach-permissions-when-prog-FD-isn-t-given/20260127-013722 base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git net patch link: https://lore.kernel.org/r/20260126173431.19825-1-ggonnet.linux%40gmail.com patch subject: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given config: powerpc-pcm030_defconfig (https://download.01.org/0day-ci/archive/20260127/202601271136.K6L9UhO2-lkp@intel.com/config) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 9b8addffa70cee5b2acc5454712d9cf78ce45710) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260127/202601271136.K6L9UhO2-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202601271136.K6L9UhO2-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from net/core/dev.c:114: In file included from include/net/tcx.h:7: >> include/linux/bpf_mprog.h:348:10: error: call to undeclared function 'bpf_net_capable'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 348 | return bpf_net_capable(); | ^ include/linux/bpf_mprog.h:348:10: note: did you mean 'sk_net_capable'? include/net/sock.h:3024:6: note: 'sk_net_capable' declared here 3024 | bool sk_net_capable(const struct sock *sk, int cap); | ^ 1 error generated. vim +/bpf_net_capable +348 include/linux/bpf_mprog.h 343 344 static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) 345 { 346 switch (type) { 347 case BPF_PROG_TYPE_SCHED_CLS: > 348 return bpf_net_capable(); -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf] bpf: fix TCX/netkit detach permissions when prog FD isn't given 2026-01-26 17:23 ` bot+bpf-ci 2026-01-26 17:34 ` [PATCH] " Guillaume GONNET @ 2026-01-26 17:48 ` Daniel Borkmann 1 sibling, 0 replies; 16+ messages in thread From: Daniel Borkmann @ 2026-01-26 17:48 UTC (permalink / raw) To: bot+bpf-ci, ggonnet.linux Cc: ast, bpf, john.fastabend, martin.lau, andrii, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai On 1/26/26 6:23 PM, bot+bpf-ci@kernel.org wrote: >> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c >> index 4ff82144f885..9796fe5b9ab5 100644 >> --- a/kernel/bpf/syscall.c >> +++ b/kernel/bpf/syscall.c > > [ ... ] > >> @@ -4565,6 +4560,8 @@ static int bpf_prog_detach(const union bpf_attr *attr) >> prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); >> if (IS_ERR(prog)) >> return PTR_ERR(prog); >> + } else if (!bpf_mprog_detach_empty(ptype)) >> + return -EPERM; >> } Please never send untested code. I saw you sent a new version already so I'll toss this one - in future please properly label with [PATCH bpf v3] if you send a new revision. Thanks, Daniel ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2026-01-28 2:50 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-24 21:43 [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given Guillaume GONNET
2026-01-24 22:06 ` bot+bpf-ci
2026-01-26 13:24 ` Daniel Borkmann
2026-01-26 17:03 ` Guillaume GONNET
2026-01-26 17:07 ` [PATCH bpf] " Guillaume GONNET
2026-01-26 17:23 ` bot+bpf-ci
2026-01-26 17:34 ` [PATCH] " Guillaume GONNET
2026-01-26 21:40 ` patchwork-bot+netdevbpf
2026-01-27 1:56 ` kernel test robot
[not found] ` <CAADnVQJNvx34irz6JYbmZvmaYU0AGRDcu8znsKjA_di798RisA@mail.gmail.com>
2026-01-27 2:29 ` Alexei Starovoitov
2026-01-27 8:26 ` [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd " Guillaume Gonnet
2026-01-27 13:10 ` Daniel Borkmann
2026-01-27 16:02 ` [PATCH bpf v5] " Guillaume Gonnet
2026-01-28 2:50 ` patchwork-bot+netdevbpf
2026-01-27 3:12 ` [PATCH] bpf: fix TCX/netkit detach permissions when prog FD " kernel test robot
2026-01-26 17:48 ` [PATCH bpf] " Daniel Borkmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox