lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1652079475-16684-3-git-send-email-yangtiezhu@loongson.cn>
Date:   Mon,  9 May 2022 14:57:54 +0800
From:   Tiezhu Yang <yangtiezhu@...ngson.cn>
To:     davem@...emloft.net, Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH bpf-next 2/3] net: sysctl: No need to check CAP_SYS_ADMIN for bpf_jit_*

The mode of the following procnames are defined as 0644, 0600, 0600
and 0600 respectively in net_core_table[], normal user can not write
them, so no need to check CAP_SYS_ADMIN in the related proc_handler
function, just remove the checks.

/proc/sys/net/core/bpf_jit_enable
/proc/sys/net/core/bpf_jit_harden
/proc/sys/net/core/bpf_jit_kallsyms
/proc/sys/net/core/bpf_jit_limit

Signed-off-by: Tiezhu Yang <yangtiezhu@...ngson.cn>
---
 net/core/sysctl_net_core.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index cf00dd7..059352b 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -268,9 +268,6 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,
 	int ret, jit_enable = *(int *)table->data;
 	struct ctl_table tmp = *table;
 
-	if (write && !capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	tmp.data = &jit_enable;
 	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
 	if (write && !ret) {
@@ -291,9 +288,6 @@ static int
 proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
 				    void *buffer, size_t *lenp, loff_t *ppos)
 {
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
 }
 # endif /* CONFIG_HAVE_EBPF_JIT */
@@ -302,9 +296,6 @@ static int
 proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
 				     void *buffer, size_t *lenp, loff_t *ppos)
 {
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
 }
 #endif
-- 
2.1.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ