review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Stanislav Fomichev <sdf@google.com>
	Wed, 27 Jan 2021 19:31:39 +0000 (11:31 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Thu, 28 Jan 2021 02:18:15 +0000 (18:18 -0800)
commit	772412176fb98493158929b220fe250127f611af
tree	b2aef4837caa452c535a1a0a1364f8f44a7a3bd5	tree \| snapshot
parent	8063e184e49011f6f3f34f6c358dc8a83890bb5b	commit \| diff

bpf: Allow rewriting to ports under ip_unprivileged_port_start

At the moment, BPF_CGROUP_INET{4,6}_BIND hooks can rewrite user_port
to the privileged ones (< ip_unprivileged_port_start), but it will
be rejected later on in the __inet_bind or __inet6_bind.

Let's add another return value to indicate that CAP_NET_BIND_SERVICE
check should be ignored. Use the same idea as we currently use
in cgroup/egress where bit #1 indicates CN. Instead, for
cgroup/bind{4,6}, bit #1 indicates that CAP_NET_BIND_SERVICE should
be bypassed.

v5:
- rename flags to be less confusing (Andrey Ignatov)
- rework BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY to work on flags
and accept BPF_RET_SET_CN (no behavioral changes)

v4:
- Add missing IPv6 support (Martin KaFai Lau)

v3:
- Update description (Martin KaFai Lau)
- Fix capability restore in selftest (Martin KaFai Lau)

v2:
- Switch to explicit return code (Martin KaFai Lau)

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Andrey Ignatov <rdna@fb.com>
Link: https://lore.kernel.org/bpf/20210127193140.3170382-1-sdf@google.com

include/linux/bpf-cgroup.h		diff \| blob \| history
include/linux/bpf.h		diff \| blob \| history
include/net/inet_common.h		diff \| blob \| history
kernel/bpf/cgroup.c		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history
net/ipv4/af_inet.c		diff \| blob \| history
net/ipv6/af_inet6.c		diff \| blob \| history