Commit 6c3eba1c authored by Andrii Nakryiko's avatar Andrii Nakryiko Committed by Daniel Borkmann
Browse files

bpf: Centralize permissions checks for all BPF map types 



This allows to do more centralized decisions later on, and generally
makes it very explicit which maps are privileged and which are not
(e.g., LRU_HASH and LRU_PERCPU_HASH, which are privileged HASH variants,
as opposed to unprivileged HASH and HASH_PERCPU; now this is explicit
and easy to verify).

Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarStanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20230613223533.3689589-4-andrii@kernel.org
parent 22db4122

kernel/bpf/bloom_filter.c

+0 −3
Original line number Diff line number Diff line
@@ -86,9 +86,6 @@ static struct bpf_map *bloom_map_alloc(union bpf_attr *attr) 
	int numa_node = bpf_map_attr_numa_node(attr);

	struct bpf_bloom_filter *bloom;



	if (!bpf_capable())

		return ERR_PTR(-EPERM);



	if (attr->key_size != 0 || attr->value_size == 0 ||

	    attr->max_entries == 0 ||

	    attr->map_flags & ~BLOOM_CREATE_FLAG_MASK ||

kernel/bpf/bpf_local_storage.c

+0 −3
Original line number Diff line number Diff line
@@ -723,9 +723,6 @@ int bpf_local_storage_map_alloc_check(union bpf_attr *attr) 
	    !attr->btf_key_type_id || !attr->btf_value_type_id)

		return -EINVAL;



	if (!bpf_capable())

		return -EPERM;



	if (attr->value_size > BPF_LOCAL_STORAGE_MAX_VALUE_SIZE)

		return -E2BIG;

kernel/bpf/bpf_struct_ops.c

+0 −3
Original line number Diff line number Diff line
@@ -655,9 +655,6 @@ static struct bpf_map *bpf_struct_ops_map_alloc(union bpf_attr *attr) 
	const struct btf_type *t, *vt;

	struct bpf_map *map;



	if (!bpf_capable())

		return ERR_PTR(-EPERM);



	st_ops = bpf_struct_ops_find_value(attr->btf_vmlinux_value_type_id);

	if (!st_ops)

		return ERR_PTR(-ENOTSUPP);

kernel/bpf/cpumap.c

+0 −4
Original line number Diff line number Diff line
@@ -28,7 +28,6 @@ 
#include <linux/sched.h>

#include <linux/workqueue.h>

#include <linux/kthread.h>

#include <linux/capability.h>

#include <trace/events/xdp.h>

#include <linux/btf_ids.h>
@@ -89,9 +88,6 @@ static struct bpf_map *cpu_map_alloc(union bpf_attr *attr) 
	u32 value_size = attr->value_size;

	struct bpf_cpu_map *cmap;



	if (!bpf_capable())

		return ERR_PTR(-EPERM);



	/* check sanity of attributes */

	if (attr->max_entries == 0 || attr->key_size != 4 ||

	    (value_size != offsetofend(struct bpf_cpumap_val, qsize) &&

kernel/bpf/devmap.c

+0 −3
Original line number Diff line number Diff line
@@ -160,9 +160,6 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) 
	struct bpf_dtab *dtab;

	int err;



	if (!capable(CAP_NET_ADMIN))

		return ERR_PTR(-EPERM);



	dtab = bpf_map_area_alloc(sizeof(*dtab), NUMA_NO_NODE);

	if (!dtab)

		return ERR_PTR(-ENOMEM);