bpf: allow socket_filter programs to use bpf_prog_test_run
authorAlexei Starovoitov <ast@kernel.org>
Thu, 18 Jan 2018 00:52:02 +0000 (16:52 -0800)
committerDaniel Borkmann <daniel@iogearbox.net>
Thu, 18 Jan 2018 21:37:58 +0000 (22:37 +0100)
in order to improve test coverage allow socket_filter program type
to be run via bpf_prog_test_run command.
Since such programs can be loaded by non-root tighten
permissions for bpf_prog_test_run to be root only
to avoid surprises.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel/bpf/syscall.c
net/core/filter.c

index c28524483bf45c71c990b98d2afa42bf92a741e4..97a825ffc7639526b163b936d9eae0862f9758c9 100644 (file)
@@ -1504,6 +1504,8 @@ static int bpf_prog_test_run(const union bpf_attr *attr,
        struct bpf_prog *prog;
        int ret = -ENOTSUPP;
 
+       if (!capable(CAP_SYS_ADMIN))
+               return -EPERM;
        if (CHECK_ATTR(BPF_PROG_TEST_RUN))
                return -EINVAL;
 
index db2ee8c7e1bda8fc448c1026716f06572d404d6a..30fafaaa90fa6e2ee4621113f1eaf5e24e46f346 100644 (file)
@@ -4526,6 +4526,7 @@ const struct bpf_verifier_ops sk_filter_verifier_ops = {
 };
 
 const struct bpf_prog_ops sk_filter_prog_ops = {
+       .test_run               = bpf_prog_test_run_skb,
 };
 
 const struct bpf_verifier_ops tc_cls_act_verifier_ops = {