Commit 7f6719f7 authored by Andrii Nakryiko's avatar Andrii Nakryiko Committed by Daniel Borkmann
Browse files

bpf: Keep BPF_PROG_LOAD permission checks clear of validations 



Move out flags validation and license checks out of the permission
checks. They were intermingled, which makes subsequent changes harder.
Clean this up: perform straightforward flag validation upfront, and
fetch and check license later, right where we use it. Also consolidate
capabilities check in one block, right after basic attribute sanity
checks.

Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarStanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20230613223533.3689589-5-andrii@kernel.org
parent 6c3eba1c

kernel/bpf/syscall.c

+9 −12
Original line number Diff line number Diff line
@@ -2550,7 +2550,6 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size) 
	struct btf *attach_btf = NULL;

	int err;

	char license[128];

	bool is_gpl;



	if (CHECK_ATTR(BPF_PROG_LOAD))

		return -EINVAL;
@@ -2569,16 +2568,6 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size) 
	    !bpf_capable())

		return -EPERM;



	/* copy eBPF program license from user space */

	if (strncpy_from_bpfptr(license,

				make_bpfptr(attr->license, uattr.is_kernel),

				sizeof(license) - 1) < 0)

		return -EFAULT;

	license[sizeof(license) - 1] = 0;



	/* eBPF programs must be GPL compatible to use GPL-ed functions */

	is_gpl = license_is_gpl_compatible(license);



	/* Intent here is for unprivileged_bpf_disabled to block BPF program

	 * creation for unprivileged users; other actions depend

	 * on fd availability and access to bpffs, so are dependent on
@@ -2671,12 +2660,20 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size) 
			     make_bpfptr(attr->insns, uattr.is_kernel),

			     bpf_prog_insn_size(prog)) != 0)

		goto free_prog_sec;

	/* copy eBPF program license from user space */

	if (strncpy_from_bpfptr(license,

				make_bpfptr(attr->license, uattr.is_kernel),

				sizeof(license) - 1) < 0)

		goto free_prog_sec;

	license[sizeof(license) - 1] = 0;



	/* eBPF programs must be GPL compatible to use GPL-ed functions */

	prog->gpl_compatible = license_is_gpl_compatible(license) ? 1 : 0;



	prog->orig_prog = NULL;

	prog->jited = 0;



	atomic64_set(&prog->aux->refcnt, 1);

	prog->gpl_compatible = is_gpl ? 1 : 0;



	if (bpf_prog_is_dev_bound(prog->aux)) {

		err = bpf_prog_dev_bound_init(prog, attr);