diff mbox series

[bpf-next] bpf: Add CAP_NET_ADMIN for sk_lookup program type

Message ID 20220130030352.2710479-1-hefengqing@huawei.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series [bpf-next] bpf: Add CAP_NET_ADMIN for sk_lookup program type | expand

Checks

Context Check Description
bpf/vmtest-bpf-next success VM_Test
bpf/vmtest-bpf-next-PR success PR summary
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 12 this patch: 12
netdev/cc_maintainers fail 1 blamed authors not CCed: jakub@cloudflare.com; 2 maintainers not CCed: kpsingh@kernel.org jakub@cloudflare.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes fail Problems with Fixes tag: 1
netdev/build_allmodconfig_warn success Errors and warnings before: 17 this patch: 17
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

He Fengqing Jan. 30, 2022, 3:03 a.m. UTC 
SK_LOOKUP program type was introduced in commit e9ddbb7707ff
("bpf: Introduce SK_LOOKUP program type with a dedicated attach point"),
but the commit did not add SK_LOOKUP program type in net admin prog type.
I think SK_LOOKUP program type should need CAP_NET_ADMIN, so add SK_LOOKUP
program type in net_admin_prog_type.

Fixes: e9ddbb7707ff ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point")

Signed-off-by: He Fengqing <hefengqing@huawei.com>
---
 kernel/bpf/syscall.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Alexei Starovoitov Jan. 30, 2022, 3:24 a.m. UTC | #1 
On Sat, Jan 29, 2022 at 6:16 PM He Fengqing <hefengqing@huawei.com> wrote:
>
> SK_LOOKUP program type was introduced in commit e9ddbb7707ff
> ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point"),
> but the commit did not add SK_LOOKUP program type in net admin prog type.
> I think SK_LOOKUP program type should need CAP_NET_ADMIN, so add SK_LOOKUP
> program type in net_admin_prog_type.

I'm afraid it's too late to change.

Jakub, Marek, wdyt?


> Fixes: e9ddbb7707ff ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point")
>
> Signed-off-by: He Fengqing <hefengqing@huawei.com>
> ---
>  kernel/bpf/syscall.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 9befb1123770..2a8a4a5266fb 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -2163,6 +2163,7 @@ static bool is_net_admin_prog_type(enum bpf_prog_type prog_type)
>         case BPF_PROG_TYPE_SK_MSG:
>         case BPF_PROG_TYPE_LIRC_MODE2:
>         case BPF_PROG_TYPE_FLOW_DISSECTOR:
> +       case BPF_PROG_TYPE_SK_LOOKUP:
>         case BPF_PROG_TYPE_CGROUP_DEVICE:
>         case BPF_PROG_TYPE_CGROUP_SOCK:
>         case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
> --
> 2.25.1
>
Jakub Sitnicki Jan. 30, 2022, 12:25 p.m. UTC | #2 
On Sun, Jan 30, 2022 at 04:24 AM CET, Alexei Starovoitov wrote:
> On Sat, Jan 29, 2022 at 6:16 PM He Fengqing <hefengqing@huawei.com> wrote:
>>
>> SK_LOOKUP program type was introduced in commit e9ddbb7707ff
>> ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point"),
>> but the commit did not add SK_LOOKUP program type in net admin prog type.
>> I think SK_LOOKUP program type should need CAP_NET_ADMIN, so add SK_LOOKUP
>> program type in net_admin_prog_type.
>
> I'm afraid it's too late to change.
>
> Jakub, Marek, wdyt?

That's definitely an oversight on my side, considering that CAP_BPF came
in 5.8, and sk_lookup program first appeared in 5.9.

Today it's possible to build a usable sk_lookup program without
CAP_NET_ADMIN if you go for REUSEPORT_SOCKARRAY map instead of
SOCKMAP/HASH.

Best I can come up is a "phase it out" approach. Put the CAP_NET_ADMIN
load-time check behind a config option, defaulting to true?, and wait
for it to become obsolete.
Alexei Starovoitov Feb. 1, 2022, 8:25 p.m. UTC | #3 
On Sun, Jan 30, 2022 at 4:25 AM Jakub Sitnicki <jakub@cloudflare.com> wrote:
>
> On Sun, Jan 30, 2022 at 04:24 AM CET, Alexei Starovoitov wrote:
> > On Sat, Jan 29, 2022 at 6:16 PM He Fengqing <hefengqing@huawei.com> wrote:
> >>
> >> SK_LOOKUP program type was introduced in commit e9ddbb7707ff
> >> ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point"),
> >> but the commit did not add SK_LOOKUP program type in net admin prog type.
> >> I think SK_LOOKUP program type should need CAP_NET_ADMIN, so add SK_LOOKUP
> >> program type in net_admin_prog_type.
> >
> > I'm afraid it's too late to change.
> >
> > Jakub, Marek, wdyt?
>
> That's definitely an oversight on my side, considering that CAP_BPF came
> in 5.8, and sk_lookup program first appeared in 5.9.
>
> Today it's possible to build a usable sk_lookup program without
> CAP_NET_ADMIN if you go for REUSEPORT_SOCKARRAY map instead of
> SOCKMAP/HASH.
>
> Best I can come up is a "phase it out" approach. Put the CAP_NET_ADMIN
> load-time check behind a config option, defaulting to true?, and wait
> for it to become obsolete.

I would keep it as-is then. The trouble doesn't feel worth it.
diff mbox series

Patch

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 9befb1123770..2a8a4a5266fb 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2163,6 +2163,7 @@  static bool is_net_admin_prog_type(enum bpf_prog_type prog_type)
 	case BPF_PROG_TYPE_SK_MSG:
 	case BPF_PROG_TYPE_LIRC_MODE2:
 	case BPF_PROG_TYPE_FLOW_DISSECTOR:
+	case BPF_PROG_TYPE_SK_LOOKUP:
 	case BPF_PROG_TYPE_CGROUP_DEVICE:
 	case BPF_PROG_TYPE_CGROUP_SOCK:
 	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: