diff options
| author | Maciej Żenczykowski <maze@google.com> | 2020-03-31 09:07:03 -0700 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-04-15 01:03:13 +0200 |
| commit | 74ef6f1c16ff672139031330dc71c274300dfb2e (patch) | |
| tree | 75feb52d1106e6d6cdc03746a9d20789f9e805c2 /extensions | |
| parent | 200bc399651499f502ac0de45f4d4aa4c9d37ab6 (diff) | |
iptables: open eBPF programs in read only mode
Adjust the mode eBPF programs are opened in so 0400 pinned bpf programs
work without requiring CAP_DAC_OVERRIDE.
This matches Linux 5.2's:
commit e547ff3f803e779a3898f1f48447b29f43c54085
Author: Chenbo Feng <fengc@google.com>
Date: Tue May 14 19:42:57 2019 -0700
bpf: relax inode permission check for retrieving bpf program
For iptable module to load a bpf program from a pinned location, it
only retrieve a loaded program and cannot change the program content so
requiring a write permission for it might not be necessary.
Also when adding or removing an unrelated iptable rule, it might need to
flush and reload the xt_bpf related rules as well and triggers the inode
permission check. It might be better to remove the write premission
check for the inode so we won't need to grant write access to all the
processes that flush and restore iptables rules.
kernel/bpf/inode.c:
- int ret = inode_permission(inode, MAY_READ | MAY_WRITE);
+ int ret = inode_permission(inode, MAY_READ);
In practice, AFAICT, the xt_bpf match .fd field isn't even used by new
kernels, but I believe it might be needed for compatibility with old ones
(though I'm pretty sure table modifications on them will outright fail).
Test: builds, passes Android test suite (albeit on an older iptables base),
git grep bpf_obj_get - finds no other users
Cc: Chenbo Feng <fengc@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libxt_bpf.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/extensions/libxt_bpf.c b/extensions/libxt_bpf.c index 92958247..eeae86e5 100644 --- a/extensions/libxt_bpf.c +++ b/extensions/libxt_bpf.c @@ -61,14 +61,26 @@ static const struct xt_option_entry bpf_opts_v1[] = { XTOPT_TABLEEND, }; -static int bpf_obj_get(const char *filepath) +static int bpf_obj_get_readonly(const char *filepath) { #if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC - union bpf_attr attr; - - memset(&attr, 0, sizeof(attr)); - attr.pathname = (__u64) filepath; - + /* union bpf_attr includes this in an anonymous struct, but the + * file_flags field and the BPF_F_RDONLY constant are only present + * in Linux 4.15+ kernel headers (include/uapi/linux/bpf.h) + */ + struct { // this part of union bpf_attr is for BPF_OBJ_* commands + __aligned_u64 pathname; + __u32 bpf_fd; + __u32 file_flags; + } attr = { + .pathname = (__u64)filepath, + .file_flags = (1U << 3), // BPF_F_RDONLY + }; + int fd = syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr)); + if (fd >= 0) return fd; + + /* on any error fallback to default R/W access for pre-4.15-rc1 kernels */ + attr.file_flags = 0; return syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr)); #else xtables_error(OTHER_PROBLEM, @@ -125,7 +137,7 @@ static void bpf_parse_string(struct sock_filter *pc, __u16 *lenp, __u16 len_max, static void bpf_parse_obj_pinned(struct xt_bpf_info_v1 *bi, const char *filepath) { - bi->fd = bpf_obj_get(filepath); + bi->fd = bpf_obj_get_readonly(filepath); if (bi->fd < 0) xtables_error(PARAMETER_PROBLEM, "bpf: failed to get bpf object"); |