[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jun 2017 15:44:22 -0700
From: Chenbo Feng <chenbofeng.kernel@...il.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>,
netdev@...r.kernel.org, David Miller <davem@...emloft.net>,
Lorenzo Colitti <lorenzo@...gle.com>,
Chenbo Feng <fengc@...gle.com>
Subject: Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for
cgroup skb eBPF program
On 06/06/2017 09:56 AM, Daniel Borkmann wrote:
> On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
>> On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
>>> From: Chenbo Feng <fengc@...gle.com>
>>>
>>> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
>>> capability while attaching the program to a cgroup only requires the
>>> user have CAP_NET_ADMIN privilege. We can escape the capability
>>> check when load the program just like socket filter program to make
>>> the capability requirement consistent.
>>>
>>> Change since v1:
>>> Change the code style in order to be compliant with checkpatch.pl
>>> preference
>>>
>>> Signed-off-by: Chenbo Feng <fengc@...gle.com>
>>
>> as far as I can see they're indeed the same as socket filters, so
>> Acked-by: Alexei Starovoitov <ast@...nel.org>
>>
>> but I don't quite understand how it helps, since as you said
>> attaching such unpriv fd to cgroup still requires root.
>> Do you have more patches to follow?
>
> Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
> then we must at least also zero out the not-yet-initialized memory
> for the mac header for egress case in __cgroup_bpf_run_filter_skb().
>
Do you mean something like:
if (type == BPF_CGROUP_INET_EGRESS) {
offset = skb_network_header(skb) - skb_mac_header(skb);
memset(skb_mac_header(skb), 0, offset)
}
And could you explain more on why we need to do this if we remove the
CAP_SYS_ADMIN check? I thought we still cannot directly access the
sk_buff without using bpf_skb_load_bytes helper and we still need a
CAP_NET_ADMIN in order to attach and run the program on egress side right?
Powered by blists - more mailing lists