|
Message-Id: <20160914072415.26021-16-mic@digikod.net> Date: Wed, 14 Sep 2016 09:24:08 +0200 From: Mickaël Salaün <mic@...ikod.net> To: linux-kernel@...r.kernel.org Cc: Mickaël Salaün <mic@...ikod.net>, Alexei Starovoitov <ast@...nel.org>, Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, Daniel Borkmann <daniel@...earbox.net>, Daniel Mack <daniel@...que.org>, David Drysdale <drysdale@...gle.com>, "David S . Miller" <davem@...emloft.net>, Elena Reshetova <elena.reshetova@...el.com>, "Eric W . Biederman" <ebiederm@...ssion.com>, James Morris <james.l.morris@...cle.com>, Kees Cook <keescook@...omium.org>, Paul Moore <pmoore@...hat.com>, Sargun Dhillon <sargun@...gun.me>, "Serge E . Hallyn" <serge@...lyn.com>, Tejun Heo <tj@...nel.org>, Will Drewry <wad@...omium.org>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, netdev@...r.kernel.org, cgroups@...r.kernel.org Subject: [RFC v3 15/22] bpf/cgroup: Move capability check This will be useful to be able to add more BPF attach type with different capability checks. Signed-off-by: Mickaël Salaün <mic@...ikod.net> Cc: Alexei Starovoitov <ast@...nel.org> Cc: Daniel Borkmann <daniel@...earbox.net> Cc: Daniel Mack <daniel@...que.org> --- kernel/bpf/syscall.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index c978f2d9a1b3..8599596fd6cf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -833,15 +833,15 @@ static int bpf_prog_attach(const union bpf_attr *attr) struct cgroup *cgrp; int result; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (CHECK_ATTR(BPF_PROG_ATTACH)) return -EINVAL; switch (attr->attach_type) { case BPF_CGROUP_INET_INGRESS: case BPF_CGROUP_INET_EGRESS: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + prog = bpf_prog_get_type(attr->attach_bpf_fd, BPF_PROG_TYPE_CGROUP_SOCKET); break; @@ -872,15 +872,15 @@ static int bpf_prog_detach(const union bpf_attr *attr) struct cgroup *cgrp; int result = 0; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (CHECK_ATTR(BPF_PROG_DETACH)) return -EINVAL; switch (attr->attach_type) { case BPF_CGROUP_INET_INGRESS: case BPF_CGROUP_INET_EGRESS: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + cgrp = cgroup_get_from_fd(attr->target_fd); if (IS_ERR(cgrp)) return PTR_ERR(cgrp); -- 2.9.3
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.