The mode of the following procnames are defined as 0644, 0600, 0600
and 0600 respectively in net_core_table[], normal user can not write
them, so no need to check CAP_SYS_ADMIN in the related proc_handler
function, just remove the checks.
/proc/sys/net/core/bpf_jit_enable
/proc/sys/net/core/bpf_jit_harden
/proc/sys/net/core/bpf_jit_kallsyms
/proc/sys/net/core/bpf_jit_limit
Signed-off-by: Tiezhu Yang <[email protected]>
---
net/core/sysctl_net_core.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index cf00dd7..059352b 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -268,9 +268,6 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,
int ret, jit_enable = *(int *)table->data;
struct ctl_table tmp = *table;
- if (write && !capable(CAP_SYS_ADMIN))
- return -EPERM;
-
tmp.data = &jit_enable;
ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
if (write && !ret) {
@@ -291,9 +288,6 @@ static int
proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
}
# endif /* CONFIG_HAVE_EBPF_JIT */
@@ -302,9 +296,6 @@ static int
proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
}
#endif
--
2.1.0
On 5/9/22 8:57 AM, Tiezhu Yang wrote:
> The mode of the following procnames are defined as 0644, 0600, 0600
> and 0600 respectively in net_core_table[], normal user can not write
> them, so no need to check CAP_SYS_ADMIN in the related proc_handler
> function, just remove the checks.
>
> /proc/sys/net/core/bpf_jit_enable
> /proc/sys/net/core/bpf_jit_harden
> /proc/sys/net/core/bpf_jit_kallsyms
> /proc/sys/net/core/bpf_jit_limit
>
> Signed-off-by: Tiezhu Yang <[email protected]>
I don't think we can make this assumption - there are various other (non-BPF)
sysctl handlers in the tree doing similar check to prevent from userns' based
CAP_SYS_ADMIN.
> ---
> net/core/sysctl_net_core.c | 9 ---------
> 1 file changed, 9 deletions(-)
>
> diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
> index cf00dd7..059352b 100644
> --- a/net/core/sysctl_net_core.c
> +++ b/net/core/sysctl_net_core.c
> @@ -268,9 +268,6 @@ static int proc_dointvec_minmax_bpf_enable(struct ctl_table *table, int write,
> int ret, jit_enable = *(int *)table->data;
> struct ctl_table tmp = *table;
>
> - if (write && !capable(CAP_SYS_ADMIN))
> - return -EPERM;
> -
> tmp.data = &jit_enable;
> ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
> if (write && !ret) {
> @@ -291,9 +288,6 @@ static int
> proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
> void *buffer, size_t *lenp, loff_t *ppos)
> {
> - if (!capable(CAP_SYS_ADMIN))
> - return -EPERM;
> -
> return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> }
> # endif /* CONFIG_HAVE_EBPF_JIT */
> @@ -302,9 +296,6 @@ static int
> proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
> void *buffer, size_t *lenp, loff_t *ppos)
> {
> - if (!capable(CAP_SYS_ADMIN))
> - return -EPERM;
> -
> return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
> }
> #endif
>
On 05/09/2022 11:02 PM, Daniel Borkmann wrote:
> On 5/9/22 8:57 AM, Tiezhu Yang wrote:
>> The mode of the following procnames are defined as 0644, 0600, 0600
>> and 0600 respectively in net_core_table[], normal user can not write
>> them, so no need to check CAP_SYS_ADMIN in the related proc_handler
>> function, just remove the checks.
>>
>> /proc/sys/net/core/bpf_jit_enable
>> /proc/sys/net/core/bpf_jit_harden
>> /proc/sys/net/core/bpf_jit_kallsyms
>> /proc/sys/net/core/bpf_jit_limit
>>
>> Signed-off-by: Tiezhu Yang <[email protected]>
>
> I don't think we can make this assumption - there are various other
> (non-BPF)
> sysctl handlers in the tree doing similar check to prevent from userns'
> based
> CAP_SYS_ADMIN.
>
OK, thank you for your reply, let me drop this patch now,
I will send v2 (patch #1 and #3) later.
Thanks,
Tiezhu