[RFC v4 15/18] bpf/cgroup: Move capability check
From: Mickaël Salaün <mic@digikod.net>
Date: 2016-10-26 06:58:44
Also in:
cgroups, lkml, netdev
Subsystem:
bpf [core], bpf [general] (safe dynamic programs and tools), the rest · Maintainers:
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, Linus Torvalds
This will be useful to be able to add more BPF attach type with different capability checks. Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Daniel Mack <daniel@zonque.org> --- kernel/bpf/syscall.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index e62123aeb202..128acb4f7177 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c@@ -833,15 +833,15 @@ static int bpf_prog_attach(const union bpf_attr *attr) struct cgroup *cgrp; int result; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (CHECK_ATTR(BPF_PROG_ATTACH)) return -EINVAL; switch (attr->attach_type) { case BPF_CGROUP_INET_INGRESS: case BPF_CGROUP_INET_EGRESS: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + prog = bpf_prog_get_type(attr->attach_bpf_fd, BPF_PROG_TYPE_CGROUP_SKB); break;
@@ -872,15 +872,15 @@ static int bpf_prog_detach(const union bpf_attr *attr) struct cgroup *cgrp; int result = 0; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (CHECK_ATTR(BPF_PROG_DETACH)) return -EINVAL; switch (attr->attach_type) { case BPF_CGROUP_INET_INGRESS: case BPF_CGROUP_INET_EGRESS: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + cgrp = cgroup_get_from_fd(attr->target_fd); if (IS_ERR(cgrp)) return PTR_ERR(cgrp);
--
2.9.3