Skip to content
Commit 3cf214f2 authored by Andrii Nakryiko's avatar Andrii Nakryiko Committed by Greg Kroah-Hartman
Browse files

bpf: Move unprivileged checks into map_create() and bpf_prog_load() 

[ Upstream commit 1d28635a

 ]

Make each bpf() syscall command a bit more self-contained, making it
easier to further enhance it. We move sysctl_unprivileged_bpf_disabled
handling down to map_create() and bpf_prog_load(), two special commands
in this regard.

Also swap the order of checks, calling bpf_capable() only if
sysctl_unprivileged_bpf_disabled is true, avoiding unnecessary audit
messages.

Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarStanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20230613223533.3689589-2-andrii@kernel.org
Stable-dep-of: 640a6045

 ("bpf, cpumap: Make sure kthread is running before map update returns")
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 0acc483f
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment