diff options
author | Alexei Starovoitov <ast@kernel.org> | 2018-01-18 03:52:02 +0300 |
---|---|---|
committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-01-19 00:37:58 +0300 |
commit | 61f3c964dfd287b05d7ac6660a4f4ddfef84786c (patch) | |
tree | 08e694284faafaea533e9ca894ca9564a16bcc27 /kernel/bpf/syscall.c | |
parent | e7b2823a582a5bca5ee47644f448e317178e8824 (diff) | |
download | linux-61f3c964dfd287b05d7ac6660a4f4ddfef84786c.tar.xz |
bpf: allow socket_filter programs to use bpf_prog_test_run
in order to improve test coverage allow socket_filter program type
to be run via bpf_prog_test_run command.
Since such programs can be loaded by non-root tighten
permissions for bpf_prog_test_run to be root only
to avoid surprises.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/bpf/syscall.c')
-rw-r--r-- | kernel/bpf/syscall.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index c28524483bf4..97a825ffc763 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1504,6 +1504,8 @@ static int bpf_prog_test_run(const union bpf_attr *attr, struct bpf_prog *prog; int ret = -ENOTSUPP; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; if (CHECK_ATTR(BPF_PROG_TEST_RUN)) return -EINVAL; |