[RFC PATCH bpf-next 1/2] bpf: defer capability checks until program attach

[Edwin Peer <epeer@juniper.net>]

The intent of this patch is not to change the effective permissions
required to run a BPF program of a given type in the kernel. The
actual check, however, is now deferred until attach time. For
example, an XDP program will fail to bind to a device with EPERM if
the program was not originally loaded under CAP_SYS_ADMIN.

This is achieved by remembering whether the program was loaded by a
privileged user within the BPF program's context. The upshot of this
is that BPF_PROG_LOAD is no longer a privileged operation, thereby
exposing access to the verifier to normal users for all program
types.

Signed-off-by: Edwin Peer <epeer@juniper.net>
---
 include/linux/filter.h |  3 ++-
 kernel/bpf/syscall.c   | 11 +++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index a141cb07e76a..1957eea62bed 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -534,7 +534,8 @@ struct bpf_prog {
 				is_func:1,	/* program is a bpf function */
 				kprobe_override:1, /* Do we override a kprobe? */
 				has_callchain_buf:1, /* callchain buffer allocated? */
-				enforce_expected_attach_type:1; /* Enforce expected_attach_type checking at attach time */
+				enforce_expected_attach_type:1, /* Enforce expected_attach_type checking at attach time */
+				privileged_load:1; /* Loaded with CAP_SYS_ADMIN */
 	enum bpf_prog_type	type;		/* Type of BPF program */
 	enum bpf_attach_type	expected_attach_type; /* For some prog types */
 	u32			len;		/* Number of filter blocks */
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index e3461ec59570..8e56768ebc06 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1586,6 +1586,11 @@ static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *attach_type,
 	prog = ____bpf_prog_get(f);
 	if (IS_ERR(prog))
 		return prog;
+	if (prog->type != BPF_PROG_TYPE_SOCKET_FILTER &&
+	    prog->type != BPF_PROG_TYPE_CGROUP_SKB && !prog->privileged_load) {
+		prog = ERR_PTR(-EPERM);
+		goto out;
+	}
 	if (!bpf_prog_get_ok(prog, attach_type, attach_drv)) {
 		prog = ERR_PTR(-EINVAL);
 		goto out;
@@ -1733,10 +1738,6 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
 	if (attr->insn_cnt == 0 ||
 	    attr->insn_cnt > (capable(CAP_SYS_ADMIN) ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
 		return -E2BIG;
-	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
-	    type != BPF_PROG_TYPE_CGROUP_SKB &&
-	    !capable(CAP_SYS_ADMIN))
-		return -EPERM;
 
 	bpf_prog_load_fixup_attach_type(attr);
 	if (bpf_prog_load_check_attach(type, attr->expected_attach_type,
@@ -1749,6 +1750,8 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
 	if (!prog)
 		return -ENOMEM;
 
+	prog->privileged_load = capable(CAP_SYS_ADMIN);
+
 	prog->expected_attach_type = attr->expected_attach_type;
 	prog->aux->attach_btf_id = attr->attach_btf_id;
 	if (attr->attach_prog_fd) {
-- 
2.24.1