tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Fix tcx/netkit detach permissions when prog fd isn't given

This commit fixes a security issue where BPF_PROG_DETACH on tcx or
netkit devices could be executed by any user when no program fd was
provided, bypassing permission checks. The fix adds a capability
check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.

Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support")
Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com>
Link: https://lore.kernel.org/r/20260127160200.10395-1-ggonnet.linux@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Guillaume Gonnet and committed by
Alexei Starovoitov ae23bc81 35538dba

+17 -5
+5
include/linux/bpf.h
··· 3362 3362 } 3363 3363 #endif /* CONFIG_BPF_SYSCALL */ 3364 3364 3365 + static inline bool bpf_net_capable(void) 3366 + { 3367 + return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); 3368 + } 3369 + 3365 3370 static __always_inline int 3366 3371 bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) 3367 3372 {
+10
include/linux/bpf_mprog.h
··· 340 340 return false; 341 341 } 342 342 } 343 + 344 + static inline bool bpf_mprog_detach_empty(enum bpf_prog_type type) 345 + { 346 + switch (type) { 347 + case BPF_PROG_TYPE_SCHED_CLS: 348 + return bpf_net_capable(); 349 + default: 350 + return false; 351 + } 352 + } 343 353 #endif /* __BPF_MPROG_H */
+2 -5
kernel/bpf/syscall.c
··· 1363 1363 return ret; 1364 1364 } 1365 1365 1366 - static bool bpf_net_capable(void) 1367 - { 1368 - return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN); 1369 - } 1370 - 1371 1366 #define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash_size 1372 1367 /* called via syscall */ 1373 1368 static int map_create(union bpf_attr *attr, bpfptr_t uattr) ··· 4574 4579 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); 4575 4580 if (IS_ERR(prog)) 4576 4581 return PTR_ERR(prog); 4582 + } else if (!bpf_mprog_detach_empty(ptype)) { 4583 + return -EPERM; 4577 4584 } 4578 4585 } else if (is_cgroup_prog_type(ptype, 0, false)) { 4579 4586 if (attr->attach_flags || attr->relative_fd)