Commit 40cd308e authored by Martin KaFai Lau's avatar Martin KaFai Lau Committed by Alexei Starovoitov
Browse files

bpf: net: Change do_ipv6_setsockopt() to use the sockopt's lock_sock() and capable() 



Similar to the earlier patch that avoids sk_setsockopt() from
taking sk lock and doing capable test when called by bpf.  This patch
changes do_ipv6_setsockopt() to use the sockopt_{lock,release}_sock()
and sockopt_[ns_]capable().

Reviewed-by: default avatarStanislav Fomichev <sdf@google.com>
Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/r/20220817061744.4176893-1-kafai@fb.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 1df055d3

net/ipv6/ipv6_sockglue.c

+7 −7
Original line number Diff line number Diff line
@@ -327,7 +327,7 @@ static int ipv6_set_opt_hdr(struct sock *sk, int optname, sockptr_t optval, 
	int err;



	/* hop-by-hop / destination options are privileged option */

	if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))

	if (optname != IPV6_RTHDR && !sockopt_ns_capable(net->user_ns, CAP_NET_RAW))

		return -EPERM;



	/* remove any sticky options header with a zero option
@@ -417,7 +417,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, 


	if (needs_rtnl)

		rtnl_lock();

	lock_sock(sk);

	sockopt_lock_sock(sk);



	switch (optname) {
@@ -634,8 +634,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, 
		break;



	case IPV6_TRANSPARENT:

		if (valbool && !ns_capable(net->user_ns, CAP_NET_RAW) &&

		    !ns_capable(net->user_ns, CAP_NET_ADMIN)) {

		if (valbool && !sockopt_ns_capable(net->user_ns, CAP_NET_RAW) &&

		    !sockopt_ns_capable(net->user_ns, CAP_NET_ADMIN)) {

			retv = -EPERM;

			break;

		}
@@ -946,7 +946,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, 
	case IPV6_IPSEC_POLICY:

	case IPV6_XFRM_POLICY:

		retv = -EPERM;

		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

		if (!sockopt_ns_capable(net->user_ns, CAP_NET_ADMIN))

			break;

		retv = xfrm_user_policy(sk, optname, optval, optlen);

		break;
@@ -994,14 +994,14 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, 
		break;

	}



	release_sock(sk);

	sockopt_release_sock(sk);

	if (needs_rtnl)

		rtnl_unlock();



	return retv;



e_inval:

	release_sock(sk);

	sockopt_release_sock(sk);

	if (needs_rtnl)

		rtnl_unlock();

	return -EINVAL;