bpf: Keep BPF_PROG_LOAD permission checks clear of validations

Move out flags validation and license checks out of the permission
checks. They were intermingled, which makes subsequent changes harder.
Clean this up: perform straightforward flag validation upfront, and
fetch and check license later, right where we use it. Also consolidate
capabilities check in one block, right after basic attribute sanity
checks.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20230613223533.3689589-5-andrii@kernel.org
This commit is contained in:
Andrii Nakryiko 2023-06-13 15:35:33 -07:00 коммит произвёл Daniel Borkmann
Родитель 6c3eba1c5e
Коммит 7f6719f7a8
1 изменённых файлов: 9 добавлений и 12 удалений

Просмотреть файл

@ -2550,7 +2550,6 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
struct btf *attach_btf = NULL; struct btf *attach_btf = NULL;
int err; int err;
char license[128]; char license[128];
bool is_gpl;
if (CHECK_ATTR(BPF_PROG_LOAD)) if (CHECK_ATTR(BPF_PROG_LOAD))
return -EINVAL; return -EINVAL;
@ -2569,16 +2568,6 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
!bpf_capable()) !bpf_capable())
return -EPERM; return -EPERM;
/* copy eBPF program license from user space */
if (strncpy_from_bpfptr(license,
make_bpfptr(attr->license, uattr.is_kernel),
sizeof(license) - 1) < 0)
return -EFAULT;
license[sizeof(license) - 1] = 0;
/* eBPF programs must be GPL compatible to use GPL-ed functions */
is_gpl = license_is_gpl_compatible(license);
/* Intent here is for unprivileged_bpf_disabled to block BPF program /* Intent here is for unprivileged_bpf_disabled to block BPF program
* creation for unprivileged users; other actions depend * creation for unprivileged users; other actions depend
* on fd availability and access to bpffs, so are dependent on * on fd availability and access to bpffs, so are dependent on
@ -2671,12 +2660,20 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
make_bpfptr(attr->insns, uattr.is_kernel), make_bpfptr(attr->insns, uattr.is_kernel),
bpf_prog_insn_size(prog)) != 0) bpf_prog_insn_size(prog)) != 0)
goto free_prog_sec; goto free_prog_sec;
/* copy eBPF program license from user space */
if (strncpy_from_bpfptr(license,
make_bpfptr(attr->license, uattr.is_kernel),
sizeof(license) - 1) < 0)
goto free_prog_sec;
license[sizeof(license) - 1] = 0;
/* eBPF programs must be GPL compatible to use GPL-ed functions */
prog->gpl_compatible = license_is_gpl_compatible(license) ? 1 : 0;
prog->orig_prog = NULL; prog->orig_prog = NULL;
prog->jited = 0; prog->jited = 0;
atomic64_set(&prog->aux->refcnt, 1); atomic64_set(&prog->aux->refcnt, 1);
prog->gpl_compatible = is_gpl ? 1 : 0;
if (bpf_prog_is_dev_bound(prog->aux)) { if (bpf_prog_is_dev_bound(prog->aux)) {
err = bpf_prog_dev_bound_init(prog, attr); err = bpf_prog_dev_bound_init(prog, attr);