!9458 bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (f0ddb6a2) · Commits · EulixOS / Software / Kernel

kernel/bpf/syscall.c

+30 −23

Original line number	Diff line number	Diff line
		@@ -2945,29 +2945,6 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
		return err;
		}

		static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
		enum bpf_attach_type attach_type)
		{
		switch (prog->type) {
		case BPF_PROG_TYPE_CGROUP_SOCK:
		case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
		case BPF_PROG_TYPE_CGROUP_SOCKOPT:
		case BPF_PROG_TYPE_SK_LOOKUP:
		return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
		case BPF_PROG_TYPE_CGROUP_SKB:
		if (!capable(CAP_NET_ADMIN))
		/* cg-skb progs can be loaded by unpriv user.
		* check permissions at attach time.
		*/
		return -EPERM;
		return prog->enforce_expected_attach_type &&
		prog->expected_attach_type != attach_type ?
		-EINVAL : 0;
		default:
		return 0;
		}
		}

		static enum bpf_prog_type
		attach_type_to_prog_type(enum bpf_attach_type attach_type)
		{
		@@ -3022,6 +2999,36 @@ attach_type_to_prog_type(enum bpf_attach_type attach_type)
		}
		}

		static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
		enum bpf_attach_type attach_type)
		{
		enum bpf_prog_type ptype;

		switch (prog->type) {
		case BPF_PROG_TYPE_CGROUP_SOCK:
		case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
		case BPF_PROG_TYPE_CGROUP_SOCKOPT:
		case BPF_PROG_TYPE_SK_LOOKUP:
		return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
		case BPF_PROG_TYPE_CGROUP_SKB:
		if (!capable(CAP_NET_ADMIN))
		/* cg-skb progs can be loaded by unpriv user.
		* check permissions at attach time.
		*/
		return -EPERM;

		ptype = attach_type_to_prog_type(attach_type);
		if (prog->type != ptype)
		return -EINVAL;

		return prog->enforce_expected_attach_type &&
		prog->expected_attach_type != attach_type ?
		-EINVAL : 0;
		default:
		return 0;
		}
		}

		#define BPF_PROG_ATTACH_LAST_FIELD replace_bpf_fd

		#define BPF_F_ATTACH_MASK \