diff mbox series

[bpf-next] bpf: use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision

Message ID 20220905090149.61221-1-ykaliuta@redhat.com (mailing list archive)
State Accepted
Commit bfeb7e399bacae4ee46ad978f5fce3e47f0978d6
Delegated to: BPF
Headers show
Series [bpf-next] bpf: use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1296 this patch: 1296
netdev/cc_maintainers warning 14 maintainers not CCed: edumazet@google.com atenart@kernel.org john.fastabend@gmail.com jolsa@kernel.org song@kernel.org yhs@fb.com linux-doc@vger.kernel.org haoluo@google.com kuba@kernel.org martin.lau@linux.dev corbet@lwn.net kpsingh@kernel.org davem@davemloft.net sdf@google.com
netdev/build_clang success Errors and warnings before: 148 this patch: 148
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1307 this patch: 1307
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 17 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-1 success Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-16 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-11 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-7 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-6 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-12 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-5 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-2 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for x86_64 with llvm-16

Commit Message

Yauheni Kaliuta Sept. 5, 2022, 9:01 a.m. UTC 
The full CAP_SYS_ADMIN requirement for blining looks too strict
nowadays. These days given unpriv eBPF is disabled by default, the
main users for constant blinding coming from unpriv in particular
via cBPF -> eBPF migration (e.g. old-style socket filters).

Discussion: https://lore.kernel.org/bpf/20220831090655.156434-1-ykaliuta@redhat.com/

Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
---
 Documentation/admin-guide/sysctl/net.rst | 3 +++
 include/linux/filter.h                   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Sept. 16, 2022, 8:20 p.m. UTC | #1 
Hello:

This patch was applied to bpf/bpf-next.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:

On Mon,  5 Sep 2022 12:01:49 +0300 you wrote:
> The full CAP_SYS_ADMIN requirement for blining looks too strict
> nowadays. These days given unpriv eBPF is disabled by default, the
> main users for constant blinding coming from unpriv in particular
> via cBPF -> eBPF migration (e.g. old-style socket filters).
> 
> Discussion: https://lore.kernel.org/bpf/20220831090655.156434-1-ykaliuta@redhat.com/
> 
> [...]

Here is the summary with links:
  - [bpf-next] bpf: use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision
    https://git.kernel.org/bpf/bpf-next/c/bfeb7e399bac

You are awesome, thank you!
diff mbox series

Patch

diff --git a/Documentation/admin-guide/sysctl/net.rst b/Documentation/admin-guide/sysctl/net.rst
index 805f2281e000..ff1e5b5acd28 100644
--- a/Documentation/admin-guide/sysctl/net.rst
+++ b/Documentation/admin-guide/sysctl/net.rst
@@ -101,6 +101,9 @@  Values:
 	- 1 - enable JIT hardening for unprivileged users only
 	- 2 - enable JIT hardening for all users
 
+where "privileged user" in this context means a process having
+CAP_BPF or CAP_SYS_ADMIN in the root user name space.
+
 bpf_jit_kallsyms
 ----------------
 
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 527ae1d64e27..75335432fcbc 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -1099,7 +1099,7 @@  static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog)
 		return false;
 	if (!bpf_jit_harden)
 		return false;
-	if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN))
+	if (bpf_jit_harden == 1 && bpf_capable())
 		return false;
 
 	return true;