From: "Guillaume GONNET" <ggonnet.linux@gmail.com>
To: "Daniel Borkmann" <daniel@iogearbox.net>, <bpf@vger.kernel.org>
Cc: <ast@kernel.org>, <john.fastabend@gmail.com>,
"Martin KaFai Lau" <martin.lau@linux.dev>
Subject: Re: [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given
Date: Mon, 26 Jan 2026 18:03:50 +0100 [thread overview]
Message-ID: <DFYOMG792VK3.2QF7I24T5GQQN@gmail.com> (raw)
In-Reply-To: <4cc162d4-9d19-4406-a93c-d6dcdf65f55f@iogearbox.net>
On Mon Jan 26, 2026 at 2:24 PM CET, Daniel Borkmann wrote:
> $subj should be [PATCH bpf] and as the AI review flagged, Fixes tag would
> make sense so that this also gets backported into stable.
> Looks reasonable to me. I looked at the other types as well, and as far as I
> can see for all the others you need to have a valid program fd in order to
> do anything in terms of modifications. Similar to BPF_LINK_{CREATE,UPDATE}
> and BPF_PROG_ATTACH. This assumes you either had a BPF token or CAP_NET_ADMIN
> at the time of the program creation or the correct permissions in BPF fs
> via BPF_OBJ_GET. Anyway, I would change this slightly into the below given
> the above makes assumptions that the detach is always about networking
> programs and it might not be in future.
Ok, I will remake the patch integrating your suggestions. I also did
look at the other program types and maybe there is also an issue with
CGROUP program types, when BPF_F_ALLOW_MULTI flag isn't set. But you need
a CGROUP FD and according to comments, it may be intentional to maintain
backward compatibility. But I'm not sure as the commit af6eea574 with that
CGROUP code is older than the one chaning BPF ACL (c8644cd0e).
Concerning Fixes tag, I will add one but refering to the right commit
that introduced this detach code (e420bed02507), not the one that I
mentioned in my first patch. I will also use the AI commit message, which
is much simpler.
next prev parent reply other threads:[~2026-01-26 17:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-24 21:43 [PATCH] bpf: fix TCX/netkit detach permissions when prog FD isn't given Guillaume GONNET
2026-01-24 22:06 ` bot+bpf-ci
2026-01-26 13:24 ` Daniel Borkmann
2026-01-26 17:03 ` Guillaume GONNET [this message]
2026-01-26 17:07 ` [PATCH bpf] " Guillaume GONNET
2026-01-26 17:23 ` bot+bpf-ci
2026-01-26 17:34 ` [PATCH] " Guillaume GONNET
2026-01-26 21:40 ` patchwork-bot+netdevbpf
2026-01-27 1:56 ` kernel test robot
[not found] ` <CAADnVQJNvx34irz6JYbmZvmaYU0AGRDcu8znsKjA_di798RisA@mail.gmail.com>
2026-01-27 2:29 ` Alexei Starovoitov
2026-01-27 8:26 ` [PATCH bpf v4] bpf: Fix tcx/netkit detach permissions when prog fd " Guillaume Gonnet
2026-01-27 13:10 ` Daniel Borkmann
2026-01-27 16:02 ` [PATCH bpf v5] " Guillaume Gonnet
2026-01-28 2:50 ` patchwork-bot+netdevbpf
2026-01-27 3:12 ` [PATCH] bpf: fix TCX/netkit detach permissions when prog FD " kernel test robot
2026-01-26 17:48 ` [PATCH bpf] " Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFYOMG792VK3.2QF7I24T5GQQN@gmail.com \
--to=ggonnet.linux@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=martin.lau@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox