Commit bfeb7e39 authored Sep 05, 2022 by Yauheni Kaliuta Committed by Daniel Borkmann Sep 16, 2022

bpf: Use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision

The full CAP_SYS_ADMIN requirement for blinding looks too strict nowadays.
These days given unprivileged BPF is disabled by default, the main users
for constant blinding coming from unprivileged in particular via cBPF -> eBPF
migration (e.g. old-style socket filters).

Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220831090655.156434-1-ykaliuta@redhat.com
Link: https://lore.kernel.org/bpf/20220905090149.61221-1-ykaliuta@redhat.com

parent a02c118e

Documentation/admin-guide/sysctl/net.rst

+3 −0

Original line number	Diff line number	Diff line
		@@ -102,6 +102,9 @@ Values:
		- 1 - enable JIT hardening for unprivileged users only
		- 2 - enable JIT hardening for all users

		where "privileged user" in this context means a process having
		CAP_BPF or CAP_SYS_ADMIN in the root user name space.

		bpf_jit_kallsyms
		----------------

+1 −1

Original line number	Diff line number	Diff line
		@@ -1099,7 +1099,7 @@ static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog)
		return false;
		if (!bpf_jit_harden)
		return false;
		if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN))
		if (bpf_jit_harden == 1 && bpf_capable())
		return false;

		return true;