| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a6f447ba-4d75-2b9b-380d-8c3a01a0a9d4@gmail.com>
Date: Thu, 16 May 2019 17:53:34 -0700
From: Chenbo Feng <chenbofeng.kernel@...il.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
Chenbo Feng <fengc@...gle.com>
Cc: Network Development <netdev@...r.kernel.org>,
Android Kernel Team <kernel-team@...roid.com>,
Lorenzo Colitti <lorenzo@...gle.com>,
Maciej Żenczykowski <maze@...gle.com>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>
Subject: Re: [PATCH bpf] bpf: relax inode permission check for retrieving bpf
program
On 5/16/19 11:35 AM, Alexei Starovoitov wrote:
> On Tue, May 14, 2019 at 7:43 PM Chenbo Feng <fengc@...gle.com> wrote:
>> For iptable module to load a bpf program from a pinned location, it
>> only retrieve a loaded program and cannot change the program content so
>> requiring a write permission for it might not be necessary.
>> Also when adding or removing an unrelated iptable rule, it might need to
>> flush and reload the xt_bpf related rules as well and triggers the inode
>> permission check. It might be better to remove the write premission
>> check for the inode so we won't need to grant write access to all the
>> processes that flush and restore iptables rules.
>>
>> Signed-off-by: Chenbo Feng <fengc@...gle.com>
> Applied. The fix makes sense to me.
Thanks for accepting it Alexei, could you also queue it up for the
stable as well?
Chenbo Feng
Powered by blists - more mailing lists