| From e547ff3f803e779a3898f1f48447b29f43c54085 Mon Sep 17 00:00:00 2001 |
| From: Chenbo Feng <fengc@google.com> |
| Date: Tue, 14 May 2019 19:42:57 -0700 |
| Subject: bpf: relax inode permission check for retrieving bpf program |
| |
| From: Chenbo Feng <fengc@google.com> |
| |
| commit e547ff3f803e779a3898f1f48447b29f43c54085 upstream. |
| |
| For iptable module to load a bpf program from a pinned location, it |
| only retrieve a loaded program and cannot change the program content so |
| requiring a write permission for it might not be necessary. |
| Also when adding or removing an unrelated iptable rule, it might need to |
| flush and reload the xt_bpf related rules as well and triggers the inode |
| permission check. It might be better to remove the write premission |
| check for the inode so we won't need to grant write access to all the |
| processes that flush and restore iptables rules. |
| |
| Signed-off-by: Chenbo Feng <fengc@google.com> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/bpf/inode.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/kernel/bpf/inode.c |
| +++ b/kernel/bpf/inode.c |
| @@ -518,7 +518,7 @@ out: |
| static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type) |
| { |
| struct bpf_prog *prog; |
| - int ret = inode_permission(inode, MAY_READ | MAY_WRITE); |
| + int ret = inode_permission(inode, MAY_READ); |
| if (ret) |
| return ERR_PTR(ret); |
| |