summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_tcp.c
diff options
context:
space:
mode:
authorMaciej Żenczykowski <maze@google.com>2020-03-31 09:07:03 -0700
committerPablo Neira Ayuso <pablo@netfilter.org>2020-04-15 01:03:13 +0200
commit74ef6f1c16ff672139031330dc71c274300dfb2e (patch)
tree75feb52d1106e6d6cdc03746a9d20789f9e805c2 /extensions/libxt_tcp.c
parent200bc399651499f502ac0de45f4d4aa4c9d37ab6 (diff)
iptables: open eBPF programs in read only mode
Adjust the mode eBPF programs are opened in so 0400 pinned bpf programs work without requiring CAP_DAC_OVERRIDE. This matches Linux 5.2's: commit e547ff3f803e779a3898f1f48447b29f43c54085 Author: Chenbo Feng <fengc@google.com> Date: Tue May 14 19:42:57 2019 -0700 bpf: relax inode permission check for retrieving bpf program For iptable module to load a bpf program from a pinned location, it only retrieve a loaded program and cannot change the program content so requiring a write permission for it might not be necessary. Also when adding or removing an unrelated iptable rule, it might need to flush and reload the xt_bpf related rules as well and triggers the inode permission check. It might be better to remove the write premission check for the inode so we won't need to grant write access to all the processes that flush and restore iptables rules. kernel/bpf/inode.c: - int ret = inode_permission(inode, MAY_READ | MAY_WRITE); + int ret = inode_permission(inode, MAY_READ); In practice, AFAICT, the xt_bpf match .fd field isn't even used by new kernels, but I believe it might be needed for compatibility with old ones (though I'm pretty sure table modifications on them will outright fail). Test: builds, passes Android test suite (albeit on an older iptables base), git grep bpf_obj_get - finds no other users Cc: Chenbo Feng <fengc@google.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_tcp.c')
0 files changed, 0 insertions, 0 deletions