summaryrefslogtreecommitdiff
path: root/kernel/bpf/syscall.c
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@kernel.org>2018-01-18 03:52:02 +0300
committerDaniel Borkmann <daniel@iogearbox.net>2018-01-19 00:37:58 +0300
commit61f3c964dfd287b05d7ac6660a4f4ddfef84786c (patch)
tree08e694284faafaea533e9ca894ca9564a16bcc27 /kernel/bpf/syscall.c
parente7b2823a582a5bca5ee47644f448e317178e8824 (diff)
downloadlinux-61f3c964dfd287b05d7ac6660a4f4ddfef84786c.tar.xz
bpf: allow socket_filter programs to use bpf_prog_test_run
in order to improve test coverage allow socket_filter program type to be run via bpf_prog_test_run command. Since such programs can be loaded by non-root tighten permissions for bpf_prog_test_run to be root only to avoid surprises. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/bpf/syscall.c')
-rw-r--r--kernel/bpf/syscall.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index c28524483bf4..97a825ffc763 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1504,6 +1504,8 @@ static int bpf_prog_test_run(const union bpf_attr *attr,
struct bpf_prog *prog;
int ret = -ENOTSUPP;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
if (CHECK_ATTR(BPF_PROG_TEST_RUN))
return -EINVAL;