From: KP Singh <kpsingh@xxxxxxxxxx>
Add validation checks for the attachment of eBPF programs.
The following permissions are required:
- CAP_SYS_ADMIN to load eBPF programs
- CAP_MAC_ADMIN (to update the policy of an LSM)
- The securityfs file being a KRSI hook and writable (O_RDWR)
Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
---
security/krsi/ops.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/security/krsi/ops.c b/security/krsi/ops.c
index cf4d06189aa1..a61508b7018f 100644
--- a/security/krsi/ops.c
+++ b/security/krsi/ops.c
@@ -23,11 +23,31 @@ static struct krsi_hook *get_hook_from_fd(int fd)
goto error;
}
+ /*
+ * Only CAP_MAC_ADMIN users are allowed to make
+ * changes to LSM hooks
+ */
+ if (!capable(CAP_MAC_ADMIN)) {
+ ret = -EPERM;
+ goto error;
+ }
+
if (!is_krsi_hook_file(f.file)) {
ret = -EINVAL;
goto error;
}
+ /*
+ * It's wrong to attach the program to the hook
+ * if the file is not opened for a write. Note that,
+ * this is an EBADF and not an EPERM because the file
+ * has been opened with an incorrect mode.
+ */
+ if (!(f.file->f_mode & FMODE_WRITE)) {
+ ret = -EBADF;
+ goto error;
+ }
+
/*
* The securityfs dentry never disappears, so we don't need to take a
* reference to it.
--
2.20.1
