| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <586ea9a2-0c81-97f8-72f4-260e0fcabaff@loongson.cn>
Date: Tue, 10 May 2022 10:42:21 +0800
From: Tiezhu Yang <yangtiezhu@...ngson.cn>
To: Daniel Borkmann <daniel@...earbox.net>, davem@...emloft.net,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next 2/3] net: sysctl: No need to check CAP_SYS_ADMIN
for bpf_jit_*
On 05/09/2022 11:02 PM, Daniel Borkmann wrote:
> On 5/9/22 8:57 AM, Tiezhu Yang wrote:
>> The mode of the following procnames are defined as 0644, 0600, 0600
>> and 0600 respectively in net_core_table[], normal user can not write
>> them, so no need to check CAP_SYS_ADMIN in the related proc_handler
>> function, just remove the checks.
>>
>> /proc/sys/net/core/bpf_jit_enable
>> /proc/sys/net/core/bpf_jit_harden
>> /proc/sys/net/core/bpf_jit_kallsyms
>> /proc/sys/net/core/bpf_jit_limit
>>
>> Signed-off-by: Tiezhu Yang <yangtiezhu@...ngson.cn>
>
> I don't think we can make this assumption - there are various other
> (non-BPF)
> sysctl handlers in the tree doing similar check to prevent from userns'
> based
> CAP_SYS_ADMIN.
>
OK, thank you for your reply, let me drop this patch now,
I will send v2 (patch #1 and #3) later.
Thanks,
Tiezhu
Powered by blists - more mailing lists