Commit 9e3c6555 authored Jun 02, 2017 by Chenbo Feng

FROMLIST: [net-next,v2,1/2] bpf: Allow CGROUP_SKB eBPF program to access

sk_buff

This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the system,
for example, by creating an iptables rules that causes the packet to
be passed to userspace via NFLOG.

(url: http://patchwork.ozlabs.org/patch/769459/

)

Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 30950746
Change-Id: I11bef84ce26cf8b8f1b89483c32a7fcdd61ae926

parent 8f3ac4c1

kernel/bpf/verifier.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -2164,6 +2164,7 @@ static bool may_access_skb(enum bpf_prog_type type)
		case BPF_PROG_TYPE_SOCKET_FILTER:
		case BPF_PROG_TYPE_SCHED_CLS:
		case BPF_PROG_TYPE_SCHED_ACT:
		case BPF_PROG_TYPE_CGROUP_SKB:
		return true;
		default:
		return false;