bpf: restrict access to core bpf sysctls - openslx/kernel-qcow2-linux.git

diff options

author	Daniel Borkmann	2018-01-20 01:24:34 +0100
committer	Alexei Starovoitov	2018-01-20 03:37:00 +0100
commit	2e4a30983b0f9b19b59e38bbf7427d7fdd480d98 (patch)
tree	7a284360e27df66f12da60329433fd7fd787183e /arch/x86/net/bpf_jit_comp.c
parent	bpf: get rid of pure_initcall dependency to enable jits (diff)
download	kernel-qcow2-linux-2e4a30983b0f9b19b59e38bbf7427d7fdd480d98.tar.gz kernel-qcow2-linux-2e4a30983b0f9b19b59e38bbf7427d7fdd480d98.tar.xz kernel-qcow2-linux-2e4a30983b0f9b19b59e38bbf7427d7fdd480d98.zip

bpf: restrict access to core bpf sysctls

Given BPF reaches far beyond just networking these days, it was never intended to allow setting and in some cases reading those knobs out of a user namespace root running without CAP_SYS_ADMIN, thus tighten such access. Also the bpf_jit_enable = 2 debugging mode should only be allowed if kptr_restrict is not set since it otherwise can leak addresses to the kernel log. Dump a note to the kernel log that this is for debugging JITs only when enabled. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Diffstat (limited to 'arch/x86/net/bpf_jit_comp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: