On Tue, Mar 24, 2020 at 07:31:30PM +0100, KP Singh wrote: > On 24-Mär 19:27, KP Singh wrote: > > We do not have a specific capable check for BPF_PROG_TYPE_LSM programs > > now. There is a general check which requires CAP_SYS_ADMIN when > > unprivileged BPF is disabled: > > > > in kernel/bpf/sycall.c: > > > > if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) > > return -EPERM; > > > > AFAIK, Most distros disable unprivileged eBPF. > > > > Now that I look at this, I think we might need a CAP_MAC_ADMIN check > > though as unprivileged BPF being enabled will result in an > > unprivileged user being able to load MAC policies. > > Actually we do have an extra check for loading BPF programs: > > > in kernel/bpf/syscall.c:bpf_prog_load > > if (type != BPF_PROG_TYPE_SOCKET_FILTER && > type != BPF_PROG_TYPE_CGROUP_SKB && > !capable(CAP_SYS_ADMIN)) > return -EPERM; > > Do you think we still need a CAP_MAC_ADMIN check for LSM programs? IMO, these are distinct privileges on the non-SELinux system. I think your patch is fine as-is. -- Kees Cook
