]>
Commit | Line | Data |
---|---|---|
13e4e7e6 GKH |
1 | From e547ff3f803e779a3898f1f48447b29f43c54085 Mon Sep 17 00:00:00 2001 |
2 | From: Chenbo Feng <fengc@google.com> | |
3 | Date: Tue, 14 May 2019 19:42:57 -0700 | |
4 | Subject: bpf: relax inode permission check for retrieving bpf program | |
5 | ||
6 | From: Chenbo Feng <fengc@google.com> | |
7 | ||
8 | commit e547ff3f803e779a3898f1f48447b29f43c54085 upstream. | |
9 | ||
10 | For iptable module to load a bpf program from a pinned location, it | |
11 | only retrieve a loaded program and cannot change the program content so | |
12 | requiring a write permission for it might not be necessary. | |
13 | Also when adding or removing an unrelated iptable rule, it might need to | |
14 | flush and reload the xt_bpf related rules as well and triggers the inode | |
15 | permission check. It might be better to remove the write premission | |
16 | check for the inode so we won't need to grant write access to all the | |
17 | processes that flush and restore iptables rules. | |
18 | ||
19 | Signed-off-by: Chenbo Feng <fengc@google.com> | |
20 | Signed-off-by: Alexei Starovoitov <ast@kernel.org> | |
21 | Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | kernel/bpf/inode.c | 2 +- | |
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
27 | ||
28 | --- a/kernel/bpf/inode.c | |
29 | +++ b/kernel/bpf/inode.c | |
30 | @@ -518,7 +518,7 @@ out: | |
31 | static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type) | |
32 | { | |
33 | struct bpf_prog *prog; | |
34 | - int ret = inode_permission(inode, MAY_READ | MAY_WRITE); | |
35 | + int ret = inode_permission(inode, MAY_READ); | |
36 | if (ret) | |
37 | return ERR_PTR(ret); | |
38 |