From: John Fastabend <john.fastabend@gmail.com>
Date: Wed, 18 Oct 2017 14:11:22 +0000 (-0700)
Subject: bpf: require CAP_NET_ADMIN when using sockmap maps
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=fb50df8d32283cd95932a182a46a10070c4a8832;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

bpf: require CAP_NET_ADMIN when using sockmap maps

Restrict sockmap to CAP_NET_ADMIN.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index beaabb21c3a3..2b6eb35ae5d3 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -486,6 +486,9 @@ static struct bpf_map *sock_map_alloc(union bpf_attr *attr)
 	int err = -EINVAL;
 	u64 cost;
 
+	if (!capable(CAP_NET_ADMIN))
+		return ERR_PTR(-EPERM);
+
 	/* check sanity of attributes */
 	if (attr->max_entries == 0 || attr->key_size != 4 ||
 	    attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE)