| Message ID | 1652079475-16684-3-git-send-email-yangtiezhu@loongson.cn (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | BPF |
| Headers | show |
| Series | Modify some code in sysctl_net_core.c | expand |
On 5/9/22 8:57 AM, Tiezhu Yang wrote: > The mode of the following procnames are defined as 0644, 0600, 0600 > and 0600 respectively in net_core_table[], normal user can not write > them, so no need to check CAP_SYS_ADMIN in the related proc_handler > function, just remove the checks. > > /proc/sys/net/core/bpf_jit_enable > /proc/sys/net/core/bpf_jit_harden > /proc/sys/net/core/bpf_jit_kallsyms > /proc/sys/net/core/bpf_jit_limit > > Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> I don't think we can make this assumption - there are various other (non-BPF) sysctl handlers in the tree doing similar check to prevent from userns' based CAP_SYS_ADMIN. > --- > net/core/sysctl_net_core.c | 9 --------- > 1 file changed, 9 deletions(-) > > diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c > index cf00dd7..059352b 100644 > --- a/net/core/sysctl_net_core.c > +++ b/net/core/sysctl_net_core.c > @@ -268,9 +268,6 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write, > int ret, jit_enable = *(int *)table->data; > struct ctl_table tmp = *table; > > - if (write && !capable(CAP_SYS_ADMIN)) > - return -EPERM; > - > tmp.data = &jit_enable; > ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); > if (write && !ret) { > @@ -291,9 +288,6 @@ static int > proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write, > void *buffer, size_t *lenp, loff_t *ppos) > { > - if (!capable(CAP_SYS_ADMIN)) > - return -EPERM; > - > return proc_dointvec_minmax(table, write, buffer, lenp, ppos); > } > # endif /* CONFIG_HAVE_EBPF_JIT */ > @@ -302,9 +296,6 @@ static int > proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write, > void *buffer, size_t *lenp, loff_t *ppos) > { > - if (!capable(CAP_SYS_ADMIN)) > - return -EPERM; > - > return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); > } > #endif >
On 05/09/2022 11:02 PM, Daniel Borkmann wrote: > On 5/9/22 8:57 AM, Tiezhu Yang wrote: >> The mode of the following procnames are defined as 0644, 0600, 0600 >> and 0600 respectively in net_core_table[], normal user can not write >> them, so no need to check CAP_SYS_ADMIN in the related proc_handler >> function, just remove the checks. >> >> /proc/sys/net/core/bpf_jit_enable >> /proc/sys/net/core/bpf_jit_harden >> /proc/sys/net/core/bpf_jit_kallsyms >> /proc/sys/net/core/bpf_jit_limit >> >> Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> > > I don't think we can make this assumption - there are various other > (non-BPF) > sysctl handlers in the tree doing similar check to prevent from userns' > based > CAP_SYS_ADMIN. > OK, thank you for your reply, let me drop this patch now, I will send v2 (patch #1 and #3) later. Thanks, Tiezhu
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c index cf00dd7..059352b 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c @@ -268,9 +268,6 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write, int ret, jit_enable = *(int *)table->data; struct ctl_table tmp = *table; - if (write && !capable(CAP_SYS_ADMIN)) - return -EPERM; - tmp.data = &jit_enable; ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); if (write && !ret) { @@ -291,9 +288,6 @@ static int proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - return proc_dointvec_minmax(table, write, buffer, lenp, ppos); } # endif /* CONFIG_HAVE_EBPF_JIT */ @@ -302,9 +296,6 @@ static int proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); } #endif
The mode of the following procnames are defined as 0644, 0600, 0600 and 0600 respectively in net_core_table[], normal user can not write them, so no need to check CAP_SYS_ADMIN in the related proc_handler function, just remove the checks. /proc/sys/net/core/bpf_jit_enable /proc/sys/net/core/bpf_jit_harden /proc/sys/net/core/bpf_jit_kallsyms /proc/sys/net/core/bpf_jit_limit Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> --- net/core/sysctl_net_core.c | 9 --------- 1 file changed, 9 deletions(-)