]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
bpf: restrict access to core bpf sysctls
authorDaniel Borkmann <daniel@iogearbox.net>
Sat, 20 Jan 2018 00:24:34 +0000 (01:24 +0100)
committerAlexei Starovoitov <ast@kernel.org>
Sat, 20 Jan 2018 02:37:00 +0000 (18:37 -0800)
Given BPF reaches far beyond just networking these days, it was
never intended to allow setting and in some cases reading those
knobs out of a user namespace root running without CAP_SYS_ADMIN,
thus tighten such access.

Also the bpf_jit_enable = 2 debugging mode should only be allowed
if kptr_restrict is not set since it otherwise can leak addresses
to the kernel log. Dump a note to the kernel log that this is for
debugging JITs only when enabled.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
net/core/sysctl_net_core.c

index 6d39b4c01fc6d22b0e18973b82edf97ef0714c33..f2d0462611c35b16aaca6d060e78e5e5af9aa2a4 100644 (file)
@@ -251,6 +251,46 @@ static int proc_do_rss_key(struct ctl_table *table, int write,
        return proc_dostring(&fake_table, write, buffer, lenp, ppos);
 }
 
+#ifdef CONFIG_BPF_JIT
+static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,
+                                          void __user *buffer, size_t *lenp,
+                                          loff_t *ppos)
+{
+       int ret, jit_enable = *(int *)table->data;
+       struct ctl_table tmp = *table;
+
+       if (write && !capable(CAP_SYS_ADMIN))
+               return -EPERM;
+
+       tmp.data = &jit_enable;
+       ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+       if (write && !ret) {
+               if (jit_enable < 2 ||
+                   (jit_enable == 2 && bpf_dump_raw_ok())) {
+                       *(int *)table->data = jit_enable;
+                       if (jit_enable == 2)
+                               pr_warn("bpf_jit_enable = 2 was set! NEVER use this in production, only for JIT debugging!\n");
+               } else {
+                       ret = -EPERM;
+               }
+       }
+       return ret;
+}
+
+# ifdef CONFIG_HAVE_EBPF_JIT
+static int
+proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+                                   void __user *buffer, size_t *lenp,
+                                   loff_t *ppos)
+{
+       if (!capable(CAP_SYS_ADMIN))
+               return -EPERM;
+
+       return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+}
+# endif
+#endif
+
 static struct ctl_table net_core_table[] = {
 #ifdef CONFIG_NET
        {
@@ -326,7 +366,7 @@ static struct ctl_table net_core_table[] = {
                .data           = &bpf_jit_enable,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-               .proc_handler   = proc_dointvec_minmax,
+               .proc_handler   = proc_dointvec_minmax_bpf_enable,
 # ifdef CONFIG_BPF_JIT_ALWAYS_ON
                .extra1         = &one,
                .extra2         = &one,
@@ -341,7 +381,7 @@ static struct ctl_table net_core_table[] = {
                .data           = &bpf_jit_harden,
                .maxlen         = sizeof(int),
                .mode           = 0600,
-               .proc_handler   = proc_dointvec_minmax,
+               .proc_handler   = proc_dointvec_minmax_bpf_restricted,
                .extra1         = &zero,
                .extra2         = &two,
        },
@@ -350,7 +390,7 @@ static struct ctl_table net_core_table[] = {
                .data           = &bpf_jit_kallsyms,
                .maxlen         = sizeof(int),
                .mode           = 0600,
-               .proc_handler   = proc_dointvec_minmax,
+               .proc_handler   = proc_dointvec_minmax_bpf_restricted,
                .extra1         = &zero,
                .extra2         = &one,
        },