Re: capable_bpf_net_admin()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: capable_bpf_net_admin()
From: Maciej Żenczykowski <zenczykowski@xxxxxxxxx>
Date: Thu, 18 Jun 2020 12:21:58 -0700
Cc: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>, BPF Mailing List <bpf@xxxxxxxxxxxxxxx>, Alexei Starovoitov <ast@xxxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, Amit Pundir <amit.pundir@xxxxxxxxxx>
In-reply-to: <CALAqxLXgnqSM16=a3O1NyqYae1n_rMyw4_hcx5APm9s-h3TBtQ@mail.gmail.com>

Ok so I think

> +       if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN))
> +               return -EPERM;

should be

> +       if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN) && !capable(CAP_SYS_ADMIN))
> +               return -EPERM;

and presumably similar change just below that for perfmon.

Follow-Ups:
- Re: capable_bpf_net_admin()
  - From: John Stultz
- [PATCH] restore behaviour of CAP_SYS_ADMIN allowing the loading of net bpf program
  - From: Maciej Żenczykowski

References:
- capable_bpf_net_admin()
  - From: Maciej Żenczykowski
- Re: capable_bpf_net_admin()
  - From: Alexei Starovoitov
- Re: capable_bpf_net_admin()
  - From: Maciej Żenczykowski
- Re: capable_bpf_net_admin()
  - From: John Stultz

Prev by Date: RE: [PATCH bpf 2/2] selftests/bpf: add variable-length data concatenation pattern test
Next by Date: Re: [Potential Spoof] [PATCH bpf-next 4/6] bpf: Support access to bpf map fields
Previous by thread: Re: capable_bpf_net_admin()
Next by thread: [PATCH] restore behaviour of CAP_SYS_ADMIN allowing the loading of net bpf program
Index(es):
- Date
- Thread

[Index of Archives] [Linux Samsung SoC] [Linux Rockchip SoC] [Linux Actions SoC] [Linux for Synopsys ARC Processors] [Linux NFS] [Linux NILFS] [Linux USB Devel] [Video for Linux] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]

Powered by Linux