bpf: restrict access to core bpf sysctls
commit4d0475705481f2d2c74d49aba241d2b07a900d8f
authorDaniel Borkmann <daniel@iogearbox.net>
Fri, 16 Aug 2019 22:59:56 +0000 (16 23:59 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 25 Aug 2019 08:51:40 +0000 (25 10:51 +0200)
tree98135366d5f37d6202807328235bc62d739839db
parent5124abda3060e2eab506fb14a27acadee3c3e396
bpf: restrict access to core bpf sysctls

commit 2e4a30983b0f9b19b59e38bbf7427d7fdd480d98 upstream.

Given BPF reaches far beyond just networking these days, it was
never intended to allow setting and in some cases reading those
knobs out of a user namespace root running without CAP_SYS_ADMIN,
thus tighten such access.

Also the bpf_jit_enable = 2 debugging mode should only be allowed
if kptr_restrict is not set since it otherwise can leak addresses
to the kernel log. Dump a note to the kernel log that this is for
debugging JITs only when enabled.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[bwh: Backported to 4.9:
 - We don't have bpf_dump_raw_ok(), so drop the condition based on it. This
   condition only made it a bit harder for a privileged user to do something
   silly.
 - Drop change to bpf_jit_kallsyms]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/core/sysctl_net_core.c