Alexei Starovoitov 2c78ee898d bpf: Implement CAP_BPF ... Implement permissions as stated in uapi/linux/capability.h In order to do that the verifier allow_ptr_leaks flag is split into four flags and they are set as: env->allow_ptr_leaks = bpf_allow_ptr_leaks(); env->bypass_spec_v1 = bpf_bypass_spec_v1(); env->bypass_spec_v4 = bpf_bypass_spec_v4(); env->bpf_capable = bpf_capable(); The first three currently equivalent to perfmon_capable(), since leaking kernel pointers and reading kernel memory via side channel attacks is roughly equivalent to reading kernel memory with cap_perfmon. 'bpf_capable' enables bounded loops, precision tracking, bpf to bpf calls and other verifier features. 'allow_ptr_leaks' enable ptr leaks, ptr conversions, subtraction of pointers. 'bypass_spec_v1' disables speculative analysis in the verifier, run time mitigations in bpf array, and enables indirect variable access in bpf programs. 'bypass_spec_v4' disables emission of sanitation code by the verifier. That means that the networking BPF program loaded with CAP_BPF + CAP_NET_ADMIN will have speculative checks done by the verifier and other spectre mitigation applied. Such networking BPF program will not be able to leak kernel pointers and will not be able to access arbitrary kernel memory. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20200513230355.7858-3-alexei.starovoitov@gmail.com		2020-05-15 17:29:41 +02:00
..
arraymap.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
bpf_iter.c	bpf: Enable bpf_iter targets registering ctx argument types	2020-05-13 12:30:50 -07:00
bpf_lru_list.c
bpf_lru_list.h	bpf: Fix a typo "inacitve" -> "inactive"	2020-04-06 21:54:10 +02:00
bpf_lsm.c	bpf: lsm: Implement attach, detach and execution	2020-03-30 01:34:00 +02:00
bpf_struct_ops.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
bpf_struct_ops_types.h	bpf: tcp: Support tcp_congestion_ops in bpf	2020-01-09 08:46:18 -08:00
btf.c	bpf: Enable bpf_iter targets registering ctx argument types	2020-05-13 12:30:50 -07:00
cgroup.c	bpf: Add support for BPF_OBJ_GET_INFO_BY_FD for bpf_link	2020-04-28 17:27:08 -07:00
core.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
cpumap.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
devmap.c	xdp: export the DEV_MAP_BULK_SIZE macro	2020-04-22 20:11:29 -07:00
disasm.c
disasm.h
dispatcher.c	bpf: Remove bpf_image tree	2020-03-13 12:49:52 -07:00
hashtab.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
helpers.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
inode.c	bpf: Create file bpf iterator	2020-05-09 17:05:26 -07:00
local_storage.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-12-22 09:54:33 -08:00
lpm_trie.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
Makefile	bpf: Add task and task/file iterator targets	2020-05-09 17:05:26 -07:00
map_in_map.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
map_in_map.h
map_iter.c	bpf: Enable bpf_iter targets registering ctx argument types	2020-05-13 12:30:50 -07:00
offload.c	bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill	2020-02-17 16:53:49 +01:00
percpu_freelist.c	bpf: Dont iterate over possible CPUs with interrupts disabled	2020-02-24 16:18:20 -08:00
percpu_freelist.h
queue_stack_maps.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
reuseport_array.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
stackmap.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
syscall.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
sysfs_btf.c	bpf: Support llvm-objcopy for vmlinux BTF	2020-03-19 12:32:38 +01:00
task_iter.c	bpf: Fix bpf_iter's task iterator logic	2020-05-14 18:37:32 -07:00
tnum.c	bpf: Verifier, do explicit ALU32 bounds tracking	2020-03-30 14:59:53 -07:00
trampoline.c	bpf: lsm: Implement attach, detach and execution	2020-03-30 01:34:00 +02:00
verifier.c	bpf: Implement CAP_BPF	2020-05-15 17:29:41 +02:00
xskmap.c	xsk: Make xskmap flush_list common for all map instances	2019-12-19 21:09:43 -08:00