Commit 2e4a3098 authored by Daniel Borkmann's avatar Daniel Borkmann Committed by Alexei Starovoitov
Browse files

bpf: restrict access to core bpf sysctls 



Given BPF reaches far beyond just networking these days, it was
never intended to allow setting and in some cases reading those
knobs out of a user namespace root running without CAP_SYS_ADMIN,
thus tighten such access.

Also the bpf_jit_enable = 2 debugging mode should only be allowed
if kptr_restrict is not set since it otherwise can leak addresses
to the kernel log. Dump a note to the kernel log that this is for
debugging JITs only when enabled.

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent fa9dd599

net/core/sysctl_net_core.c

+43 −3
Original line number Diff line number Diff line
@@ -251,6 +251,46 @@ static int proc_do_rss_key(struct ctl_table *table, int write, 
	return proc_dostring(&fake_table, write, buffer, lenp, ppos);

}



#ifdef CONFIG_BPF_JIT

static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,

					   void __user *buffer, size_t *lenp,

					   loff_t *ppos)

{

	int ret, jit_enable = *(int *)table->data;

	struct ctl_table tmp = *table;



	if (write && !capable(CAP_SYS_ADMIN))

		return -EPERM;



	tmp.data = &jit_enable;

	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);

	if (write && !ret) {

		if (jit_enable < 2 ||

		    (jit_enable == 2 && bpf_dump_raw_ok())) {

			*(int *)table->data = jit_enable;

			if (jit_enable == 2)

				pr_warn("bpf_jit_enable = 2 was set! NEVER use this in production, only for JIT debugging!\n");

		} else {

			ret = -EPERM;

		}

	}

	return ret;

}



# ifdef CONFIG_HAVE_EBPF_JIT

static int

proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,

				    void __user *buffer, size_t *lenp,

				    loff_t *ppos)

{

	if (!capable(CAP_SYS_ADMIN))

		return -EPERM;



	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);

}

# endif

#endif



static struct ctl_table net_core_table[] = {

#ifdef CONFIG_NET

	{
@@ -326,7 +366,7 @@ static struct ctl_table net_core_table[] = { 
		.data		= &bpf_jit_enable,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec_minmax,

		.proc_handler	= proc_dointvec_minmax_bpf_enable,

# ifdef CONFIG_BPF_JIT_ALWAYS_ON

		.extra1		= &one,

		.extra2		= &one,
@@ -341,7 +381,7 @@ static struct ctl_table net_core_table[] = { 
		.data		= &bpf_jit_harden,

		.maxlen		= sizeof(int),

		.mode		= 0600,

		.proc_handler	= proc_dointvec_minmax,

		.proc_handler	= proc_dointvec_minmax_bpf_restricted,

		.extra1		= &zero,

		.extra2		= &two,

	},
@@ -350,7 +390,7 @@ static struct ctl_table net_core_table[] = { 
		.data		= &bpf_jit_kallsyms,

		.maxlen		= sizeof(int),

		.mode		= 0600,

		.proc_handler	= proc_dointvec_minmax,

		.proc_handler	= proc_dointvec_minmax_bpf_restricted,

		.extra1		= &zero,

		.extra2		= &one,

	},

CRA Git | Maintained and supported by SUSTech CRA and CCSE