bpf: Centralize permissions checks for all BPF map types
This allows to do more centralized decisions later on, and generally makes it very explicit which maps are privileged and which are not (e.g., LRU_HASH and LRU_PERCPU_HASH, which are privileged HASH variants, as opposed to unprivileged HASH and HASH_PERCPU; now this is explicit and easy to verify). Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/bpf/20230613223533.3689589-4-andrii@kernel.org
This commit is contained in:
committed by
Daniel Borkmann
parent
22db41226b
commit
6c3eba1c5e
@@ -422,12 +422,6 @@ static int htab_map_alloc_check(union bpf_attr *attr)
|
||||
BUILD_BUG_ON(offsetof(struct htab_elem, fnode.next) !=
|
||||
offsetof(struct htab_elem, hash_node.pprev));
|
||||
|
||||
if (lru && !bpf_capable())
|
||||
/* LRU implementation is much complicated than other
|
||||
* maps. Hence, limit to CAP_BPF.
|
||||
*/
|
||||
return -EPERM;
|
||||
|
||||
if (zero_seed && !capable(CAP_SYS_ADMIN))
|
||||
/* Guard against local DoS, and discourage production use. */
|
||||
return -EPERM;
|
||||
|
||||
Reference in New Issue
Block a user