mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 22:02:02 +00:00
Code Issues Releases Wiki Activity
linux-stable/Documentation/networking
History
Ilya Maximets ab0085bd79 xsk: Honor SO_BINDTODEVICE on bind 
[ Upstream commit f7306acec9 ]

Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A
privileged process might create the socket and pass it to a non-privileged
process for later use. However, that process will be able to bind the socket
to any network interface. Even though it will not be able to receive any
traffic without modification of the BPF map, the situation is not ideal.

Sockets already have a mechanism that can be used to restrict what interface
they can be attached to. That is SO_BINDTODEVICE.

To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW.

Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow
when non-privileged process is using AF_XDP.

The intended workflow is following:

  1. First process creates a bare socket with socket(AF_XDP, ...).
  2. First process loads the XSK program to the interface.
  3. First process adds the socket fd to a BPF map.
  4. First process ties socket fd to a particular interface using
     SO_BINDTODEVICE.
  5. First process sends socket fd to a second process.
  6. Second process allocates UMEM.
  7. Second process binds socket to the interface with bind(...).
  8. Second process sends/receives the traffic.

All the steps above are possible today if the first process is privileged
and the second one has sufficient RLIMIT_MEMLOCK and no capabilities.
However, the second process will be able to bind the socket to any interface
it wants on step 7 and send traffic from it. With the proposed change, the
second process will be able to bind the socket only to a specific interface
chosen by the first process at step 4.

Fixes: 965a990984 ("xsk: add support for bind for Rx")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/bpf/20230703175329.3259672-1-i.maximets@ovn.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-07-27 08:37:23 +02:00
..
caif
device_drivers Documentation: networking: device drivers: Remove stray asterisks 2019-11-01 13:20:43 -07:00
dsa docs: net: dsa: sja1105: Add info about the Time-Aware Scheduler 2019-09-16 21:32:58 +02:00
mac80211_hwsim
6lowpan.txt
6pack.txt
af_xdp.rst xsk: Honor SO_BINDTODEVICE on bind 2023-07-27 08:37:23 +02:00
alias.rst
altera_tse.txt
arcnet-hardware.txt
arcnet.txt
atm.txt
ax25.txt
batman-adv.rst
baycom.txt
bonding.txt bonding: fix ad_actor_system option setting to default 2021-12-29 12:23:35 +01:00
bridge.rst
can.rst
can_ucan_protocol.rst
cdc_mbim.txt
checksum-offloads.rst
cops.txt
cxacru-cf.py
cxacru.txt
dccp.txt
dctcp.txt
defza.txt
devlink-health.txt
devlink-info-versions.rst devlink: Add new info version tags for ASIC and FW 2019-09-05 09:24:43 +02:00
devlink-params-bnxt.txt
devlink-params-mlxsw.txt
devlink-params-nfp.txt nfp: devlink: add 'reset_dev_on_drv_probe' support 2019-09-10 17:29:27 +01:00
devlink-params.txt devlink: add 'reset_dev_on_drv_probe' param 2019-09-10 17:29:26 +01:00
devlink-trap-netdevsim.rst
devlink-trap.rst Documentation: Clarify trap's description 2019-09-27 20:33:19 +02:00
dns_resolver.txt
driver.txt
eql.txt
failover.rst
fib_trie.txt
filter.txt
fore200e.txt
framerelay.txt
gen_stats.txt
generic-hdlc.txt
generic_netlink.txt
gtp.txt
hinic.txt
ieee802154.rst
ila.txt
index.rst Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2019-09-18 12:34:53 -07:00
ip-sysctl.txt Documentation: fix sctp_wmem in ip-sysctl.rst 2022-08-03 11:59:40 +02:00
ip_dynaddr.txt
ipddp.txt
iphase.txt
ipsec.txt
ipv6.txt
ipvlan.txt
ipvs-sysctl.txt netfilter: ipvs: Fix reuse connection if RS weight is 0 2021-12-01 09:23:31 +01:00
j1939.rst can: j1939: swap addr and pgn in the send example 2020-11-18 19:20:19 +01:00
kapi.rst
kcm.txt
l2tp.txt
lapb-module.txt
ltpc.txt
mac80211-auth-assoc-deauth.txt
mac80211-injection.txt
mpls-sysctl.txt
msg_zerocopy.rst
multiqueue.txt
net_dim.txt net: update net_dim documentation after rename 2019-10-10 16:37:10 -07:00
net_failover.rst
netconsole.txt
netdev-FAQ.rst
netdev-features.txt
netdevices.txt
netfilter-sysctl.txt
netif-msg.txt
nf_conntrack-sysctl.txt
nf_flowtable.txt netfilter: nf_flowtable: fix documentation 2020-03-05 16:43:51 +01:00
nfc.txt
openvswitch.txt
operstates.txt
packet_mmap.txt
phonet.txt
phy.rst
pktgen.txt
PLIP.txt
ppp_generic.txt
proc_net_tcp.txt
radiotap-headers.txt
ray_cs.txt
rds.txt
regulatory.txt
rxrpc.txt
scaling.rst
sctp.txt
secid.txt
seg6-sysctl.txt
segmentation-offloads.rst
sfp-phylink.rst net: phylink: clarify where phylink should be used 2019-09-16 16:53:44 +02:00
skfp.txt
snmp_counter.rst
strparser.txt
switchdev.txt
tc-actions-env-rules.txt
tcp-thin.txt
team.txt
timestamping.txt
tls-offload-layers.svg
tls-offload-reorder-bad.svg
tls-offload-reorder-good.svg
tls-offload.rst Documentation: TLS: Add missing counter description 2019-11-05 18:34:06 -08:00
tls.rst
tproxy.txt
tuntap.txt
udplite.txt
vrf.txt
vxlan.txt
x25-iface.txt
x25.txt
xfrm_device.txt
xfrm_proc.txt
xfrm_sync.txt
xfrm_sysctl.txt
z8530book.rst
z8530drv.txt