FROMLIST: [net-next,v2,2/2] bpf: Remove the capability check for cgroup skb eBPF program

Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter program to make the capability requirement consistent. Change since v1: Change the code style in order to be compliant with checkpatch.pl preference (url: http://patchwork.ozlabs.org/patch/769460/) Signed-off-by: Chenbo Feng <fengc@google.com> Bug: 30950746 Change-Id: Ibe51235127d6f9349b8f563ad31effc061b278ed Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
author: Chenbo Feng <fengc@google.com> 2017-06-02 17:24:31 -0700
committer: Michael Bestas <mkbestas@lineageos.org> 2022-04-19 00:51:12 +0300
commit: 0d559c9e9f1bbfac52fda4b504b56ef6ab2b2ee3 (patch)
tree: 8a948211031391ed4ca620a547eee8705437a65c /kernel/bpf/syscall.c
parent: b5be810c12a12818d5b7e65103f208b5fa7f2130 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b5dcd59c97ef..1cf7a34a4858 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -747,7 +747,9 @@ static int bpf_prog_load(union bpf_attr *attr)
 	    attr->kern_version != LINUX_VERSION_CODE)
 		return -EINVAL;
 
-	if (type != BPF_PROG_TYPE_SOCKET_FILTER && !capable(CAP_SYS_ADMIN))
+	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
+	    type != BPF_PROG_TYPE_CGROUP_SKB &&
+	    !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	/* plain bpf_prog allocation */
author	Chenbo Feng <fengc@google.com>	2017-06-02 17:24:31 -0700
committer	Michael Bestas <mkbestas@lineageos.org>	2022-04-19 00:51:12 +0300
commit	0d559c9e9f1bbfac52fda4b504b56ef6ab2b2ee3 (patch)
tree	8a948211031391ed4ca620a547eee8705437a65c /kernel/bpf/syscall.c
parent	b5be810c12a12818d5b7e65103f208b5fa7f2130 (diff)