On 06/06/2017 09:56 AM, Daniel Borkmann wrote:
On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter program to make
the capability requirement consistent.
Change since v1:
Change the code style in order to be compliant with checkpatch.pl
preference
Signed-off-by: Chenbo Feng <fe...@google.com>
as far as I can see they're indeed the same as socket filters, so
Acked-by: Alexei Starovoitov <a...@kernel.org>
but I don't quite understand how it helps, since as you said
attaching such unpriv fd to cgroup still requires root.
Do you have more patches to follow?
Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
then we must at least also zero out the not-yet-initialized memory
for the mac header for egress case in __cgroup_bpf_run_filter_skb().
Do you mean something like:
if (type == BPF_CGROUP_INET_EGRESS) {
offset = skb_network_header(skb) - skb_mac_header(skb);
memset(skb_mac_header(skb), 0, offset)
}
And could you explain more on why we need to do this if we remove the
CAP_SYS_ADMIN check? I thought we still cannot directly access the
sk_buff without using bpf_skb_load_bytes helper and we still need a
CAP_NET_ADMIN in order to attach and run the program on egress side right?
