Commit c8c5e35

zhuyifei1999 zhuyifei1999

committed

af_xdp: Allow running onload as non-root

There's a TODO saying how it fails when the process does not have CAP_NET_RAW. This is true, so to workaround that, swap to a temporary global-root cred from `prepare_kernel_cred(&init_task)`. While in theory one could create a less-privileged cred via `prepare_creds()` and individually raise the required capability bits, just like in oo_cplane_empower_cap_net_raw, unfortunately xdp_umem_create -> xdp_umem_reg -> xdp_umem_account_pages requires CAP_IPC_LOCK in the init user ns, and escalating to init user ns while keeping capability bits sounds meaningless to me. The netns of the process is backed by the nsproxy and not the cred so this should not affect netns. Though I'm not sure about the security implications of this, considering onload is able to run rootless in non-AF_XDP mode already. Signed-off-by: YiFei Zhu <zhuyifei@google.com>

1 parent 221f5f4 commit c8c5e35Copy full SHA for c8c5e35

File tree

1 file changed

+18

-4

lines changed

src/lib/efhw
- af_xdp.c

1 file changed

+18

-4

lines changed

`‎src/lib/efhw/af_xdp.c‎`

Lines changed: 18 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -730,6 +730,8 @@ static int af_xdp_init(struct efhw_nic* nic, int instance,`
`730`	`730`	`struct socket* sock;`
`731`	`731`	`struct file* file;`
`732`	`732`	`struct efab_af_xdp_offsets* user_offsets;`
	`733`	`+ const struct cred *old_cred;`
	`734`	`+ struct cred *cred;`
`733`	`735`
`734`	`736`	`if( chunk_size == 0 \|\|`
`735`	`737`	`chunk_size < headroom \|\|`
`@@ -749,18 +751,24 @@ static int af_xdp_init(struct efhw_nic* nic, int instance,`
`749`	`751`	`if( sw_bt == NULL )`
`750`	`752`	`return -EINVAL;`
`751`	`753`
	`754`	`+ cred = prepare_kernel_cred(&init_task);`
	`755`	`+ if( cred == NULL )`
	`756`	`+ return -ENOMEM;`
	`757`	`+ old_cred = override_creds(cred);`
	`758`	`+`
`752`	`759`	`/* We need to use network namespace of network device so that`
`753`	`760`	`* ifindex passed in bpf syscalls makes sense`
`754`	`761`	`* TODO AF_XDP: there is a race here with device changing netns`
`755`		`- * TODO AF_XDP: this fails unless the user namespace has CAP_NET_RAW`
`756`	`762`	`*/`
`757`	`763`	`rc = __sock_create(dev_net(nic->net_dev), AF_XDP, SOCK_RAW, 0, &sock, 0);`
`758`	`764`	`if( rc < 0 )`
`759`		`- returnrc;`
	`765`	`+ goto fail_cred;`
`760`	`766`
`761`	`767`	`file = sock_alloc_file(sock, 0, NULL);`
`762`		`- if( IS_ERR(file) )`
`763`		`- return PTR_ERR(file);`
	`768`	`+ if( IS_ERR(file) ) {`
	`769`	`+ rc = PTR_ERR(file);`
	`770`	`+ goto fail_cred;`
	`771`	`+ }`
`764`	`772`	`vi->sock = sock;`
`765`	`773`
`766`	`774`	`rc = efhw_page_alloc_zeroed(&vi->user_offsets_page);`
`@@ -815,11 +823,17 @@ static int af_xdp_init(struct efhw_nic* nic, int instance,`
`815`	`823`	`add_wait_queue(sk_sleep(vi->sock->sk), &vi->waiter.wait);`
`816`	`824`
`817`	`825`	`user_offsets->mmap_bytes = efhw_page_map_bytes(page_map);`
	`826`	`+`
	`827`	`+ revert_creds(old_cred);`
	`828`	`+ put_cred(cred);`
`818`	`829`	`return 0;`
`819`	`830`
`820`	`831`	`fail:`
`821`	`832`	`vi->waiter.wait.func = NULL;`
`822`	`833`	`xdp_release_vi(nic, vi);`
	`834`	`+ fail_cred:`
	`835`	`+ revert_creds(old_cred);`
	`836`	`+ put_cred(cred);`
`823`	`837`	`return rc;`
`824`	`838`	`}`
`825`	`839`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit c8c5e35

File tree

1 file changed

1 file changed

`‎src/lib/efhw/af_xdp.c‎`

0 commit comments