* [PATCH net] tcp: restrict SO_ATTACH_FILTER to priv users
@ 2026-06-05 11:21 Eric Dumazet
2026-06-05 14:18 ` Daniel Borkmann
0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2026-06-05 11:21 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Neal Cardwell, Kuniyuki Iwashima, netdev,
eric.dumazet, Eric Dumazet, Tamir Shahar, Amit Klein,
Willem de Bruijn, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman,
Kumar Kartikeya Dwivedi, Song Liu, Yonghong Song, Jiri Olsa,
John Fastabend, Stanislav Fomichev
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application
attaches a filter to leak TCP sequence/acknowledgment numbers.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Stanislav Fomichev <sdf@fomichev.me>
---
net/core/sock.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/sock.c b/net/core/sock.c
index d097025c116a863b29346c12470a9c81ec38ac56..cab041b57d286536cd4299c98f0d7d3bf7499501 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1465,6 +1465,11 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
case SO_ATTACH_FILTER: {
struct sock_fprog fprog;
+ if (sk_is_tcp(sk) &&
+ !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+ break;
+ }
ret = copy_bpf_fprog_from_user(&fprog, optval, optlen);
if (!ret)
ret = sk_attach_filter(&fprog, sk);
--
2.54.0.1032.g2f8565e1d1-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] tcp: restrict SO_ATTACH_FILTER to priv users
2026-06-05 11:21 [PATCH net] tcp: restrict SO_ATTACH_FILTER to priv users Eric Dumazet
@ 2026-06-05 14:18 ` Daniel Borkmann
2026-06-05 16:58 ` Willem de Bruijn
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Borkmann @ 2026-06-05 14:18 UTC (permalink / raw)
To: Eric Dumazet, David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Neal Cardwell, Kuniyuki Iwashima, netdev,
eric.dumazet, Tamir Shahar, Amit Klein, Willem de Bruijn,
Alexei Starovoitov, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Kumar Kartikeya Dwivedi, Song Liu,
Yonghong Song, Jiri Olsa, John Fastabend, Stanislav Fomichev
On 6/5/26 1:21 PM, Eric Dumazet wrote:
> This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
> to users with CAP_NET_ADMIN capability.
>
> This blocks potential side-channel attack where an unprivileged application
> attaches a filter to leak TCP sequence/acknowledgment numbers.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Tamir Shahar <tamirthesis@gmail.com>
> Reported-by: Amit Klein <aksecurity@gmail.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Cc: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Andrii Nakryiko <andrii@kernel.org>
> Cc: Martin KaFai Lau <martin.lau@linux.dev>
> Cc: Eduard Zingerman <eddyz87@gmail.com>
> Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> Cc: Song Liu <song@kernel.org>
> Cc: Yonghong Song <yonghong.song@linux.dev>
> Cc: Jiri Olsa <jolsa@kernel.org>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Stanislav Fomichev <sdf@fomichev.me>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] tcp: restrict SO_ATTACH_FILTER to priv users
2026-06-05 14:18 ` Daniel Borkmann
@ 2026-06-05 16:58 ` Willem de Bruijn
0 siblings, 0 replies; 3+ messages in thread
From: Willem de Bruijn @ 2026-06-05 16:58 UTC (permalink / raw)
To: Daniel Borkmann, Eric Dumazet, David S . Miller, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Neal Cardwell, Kuniyuki Iwashima, netdev,
eric.dumazet, Tamir Shahar, Amit Klein, Willem de Bruijn,
Alexei Starovoitov, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Kumar Kartikeya Dwivedi, Song Liu,
Yonghong Song, Jiri Olsa, John Fastabend, Stanislav Fomichev
Daniel Borkmann wrote:
> On 6/5/26 1:21 PM, Eric Dumazet wrote:
> > This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
> > to users with CAP_NET_ADMIN capability.
> >
> > This blocks potential side-channel attack where an unprivileged application
> > attaches a filter to leak TCP sequence/acknowledgment numbers.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > Reported-by: Tamir Shahar <tamirthesis@gmail.com>
> > Reported-by: Amit Klein <aksecurity@gmail.com>
> > Cc: Willem de Bruijn <willemb@google.com>
> > Cc: Alexei Starovoitov <ast@kernel.org>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Andrii Nakryiko <andrii@kernel.org>
> > Cc: Martin KaFai Lau <martin.lau@linux.dev>
> > Cc: Eduard Zingerman <eddyz87@gmail.com>
> > Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> > Cc: Song Liu <song@kernel.org>
> > Cc: Yonghong Song <yonghong.song@linux.dev>
> > Cc: Jiri Olsa <jolsa@kernel.org>
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Stanislav Fomichev <sdf@fomichev.me>
>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-05 16:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-05 11:21 [PATCH net] tcp: restrict SO_ATTACH_FILTER to priv users Eric Dumazet
2026-06-05 14:18 ` Daniel Borkmann
2026-06-05 16:58 ` Willem de Bruijn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox