projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 13e4e7e6 GKH |
1 | From e547ff3f803e779a3898f1f48447b29f43c54085 Mon Sep 17 00:00:00 2001 |
| 2 | From: Chenbo Feng <fengc@google.com> | |
| 3 | Date: Tue, 14 May 2019 19:42:57 -0700 | |
| 4 | Subject: bpf: relax inode permission check for retrieving bpf program | |
| 5 | ||
| 6 | From: Chenbo Feng <fengc@google.com> | |
| 7 | ||
| 8 | commit e547ff3f803e779a3898f1f48447b29f43c54085 upstream. | |
| 9 | ||
| 10 | For iptable module to load a bpf program from a pinned location, it | |
| 11 | only retrieve a loaded program and cannot change the program content so | |
| 12 | requiring a write permission for it might not be necessary. | |
| 13 | Also when adding or removing an unrelated iptable rule, it might need to | |
| 14 | flush and reload the xt_bpf related rules as well and triggers the inode | |
| 15 | permission check. It might be better to remove the write premission | |
| 16 | check for the inode so we won't need to grant write access to all the | |
| 17 | processes that flush and restore iptables rules. | |
| 18 | ||
| 19 | Signed-off-by: Chenbo Feng <fengc@google.com> | |
| 20 | Signed-off-by: Alexei Starovoitov <ast@kernel.org> | |
| 21 | Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | |
| 22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 23 | ||
| 24 | --- | |
| 25 | kernel/bpf/inode.c | 2 +- | |
| 26 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 27 | ||
| 28 | --- a/kernel/bpf/inode.c | |
| 29 | +++ b/kernel/bpf/inode.c | |
| 30 | @@ -518,7 +518,7 @@ out: | |
| 31 | static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type) | |
| 32 | { | |
| 33 | struct bpf_prog *prog; | |
| 34 | - int ret = inode_permission(inode, MAY_READ | MAY_WRITE); | |
| 35 | + int ret = inode_permission(inode, MAY_READ); | |
| 36 | if (ret) | |
| 37 | return ERR_PTR(ret); | |
| 38 |