• Alexei Starovoitov's avatar
    bpf: Implement CAP_BPF · 2c78ee89
    Alexei Starovoitov authored
    Implement permissions as stated in uapi/linux/capability.h
    In order to do that the verifier allow_ptr_leaks flag is split
    into four flags and they are set as:
      env->allow_ptr_leaks = bpf_allow_ptr_leaks();
      env->bypass_spec_v1 = bpf_bypass_spec_v1();
      env->bypass_spec_v4 = bpf_bypass_spec_v4();
      env->bpf_capable = bpf_capable();
    
    The first three currently equivalent to perfmon_capable(), since leaking kernel
    pointers and reading kernel memory via side channel attacks is roughly
    equivalent to reading kernel memory with cap_perfmon.
    
    'bpf_capable' enables bounded loops, precision tracking, bpf to bpf calls and
    other verifier features. 'allow_ptr_leaks' enable ptr leaks, ptr conversions,
    subtraction of pointers. 'bypass_spec_v1' disables speculative analysis in the
    verifier, run time mitigations in bpf array, and enables indirect variable
    access in bpf programs. 'bypass_spec_v4' disables emission of sanitation code
    by the verifier.
    
    That means that the networking BPF program loaded with CAP_BPF + CAP_NET_ADMIN
    will have speculative checks done by the verifier and other spectre mitigation
    applied. Such networking BPF program will not be able to leak kernel pointers
    and will not be able to access arbitrary kernel memory.
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20200513230355.7858-3-alexei.starovoitov@gmail.com
    2c78ee89
syscall.c 96.7 KB