android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cd52323ac4
android_kernel_samsung_sm8650/Documentation
History
Ilya Maximets 67eb4aee2c xsk: Honor SO_BINDTODEVICE on bind 
[ Upstream commit f7306acec9aae9893d15e745c8791124d42ab10a ]

Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A
privileged process might create the socket and pass it to a non-privileged
process for later use. However, that process will be able to bind the socket
to any network interface. Even though it will not be able to receive any
traffic without modification of the BPF map, the situation is not ideal.

Sockets already have a mechanism that can be used to restrict what interface
they can be attached to. That is SO_BINDTODEVICE.

To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW.

Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow
when non-privileged process is using AF_XDP.

The intended workflow is following:

  1. First process creates a bare socket with socket(AF_XDP, ...).
  2. First process loads the XSK program to the interface.
  3. First process adds the socket fd to a BPF map.
  4. First process ties socket fd to a particular interface using
     SO_BINDTODEVICE.
  5. First process sends socket fd to a second process.
  6. Second process allocates UMEM.
  7. Second process binds socket to the interface with bind(...).
  8. Second process sends/receives the traffic.

All the steps above are possible today if the first process is privileged
and the second one has sufficient RLIMIT_MEMLOCK and no capabilities.
However, the second process will be able to bind the socket to any interface
it wants on step 7 and send traffic from it. With the proposed change, the
second process will be able to bind the socket only to a specific interface
chosen by the first process at step 4.

Fixes: 965a990984 ("xsk: add support for bind for Rx")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/bpf/20230703175329.3259672-1-i.maximets@ovn.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-07-19 16:22:05 +02:00
..
ABI usb: misc: eud: Fix eud sysfs path (use 'qcom_eud') 2023-07-19 16:21:53 +02:00
accounting filemap: make the accounting of thrashing more consistent 2022-09-26 19:46:06 -07:00
admin-guide mm: memcontrol: deprecate charge moving 2023-03-10 09:34:26 +01:00
arc
arm EFI updates for v6.1 2022-10-09 08:56:54 -07:00
arm64 irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4 2023-05-24 17:32:36 +01:00
block blk-crypto: don't use struct request_queue for public interfaces 2023-05-11 23:03:00 +09:00
bpf bpf, docs: Fix modulo zero, division by zero, overflow, and underflow 2023-03-10 09:33:50 +01:00
cdrom
core-api overflow: Fix kern-doc markup for functions 2022-10-25 14:57:42 -07:00
cpu-freq
crypto
dev-tools docs/scripts/gdb: add necessary make scripts_gdb step 2023-03-10 09:33:58 +01:00
devicetree dt-bindings: power: reset: qcom-pon: Only allow reboot-mode pre-pmk8350 2023-07-19 16:21:48 +02:00
doc-guide Rust introduction for v6.1-rc1 2022-10-03 16:39:37 -07:00
driver-api spi: Update reference to struct spi_controller 2022-12-31 13:32:06 +01:00
fault-injection lkdtm: replace ll_rw_block with submit_bh 2023-07-19 16:21:53 +02:00
fb Documentation: fb: udlfb: clean up text and formatting 2022-09-27 13:21:44 -06:00
features
filesystems docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate 2023-03-22 13:33:40 +01:00
firmware_class
firmware-guide Merge branches 'acpi-misc', 'acpi-tools' and 'acpi-docs' 2022-10-03 20:03:49 +02:00
fpga
gpu drm/vmwgfx: Remove vmwgfx_hashtab 2023-01-18 11:58:28 +01:00
hid
hwmon hwmon: (ftsteutates) Fix scaling of measurements 2023-03-10 09:33:10 +01:00
i2c docs: i2c: slave-interface: return errno when handle I2C_SLAVE_WRITE_REQUESTED 2022-09-28 21:41:59 +02:00
ia64
iio docs: iio: add documentation for BNO055 driver 2022-09-21 18:42:56 +01:00
images
infiniband
input Merge branch 'next' into for-linus 2022-10-09 22:30:23 -07:00
isdn
kbuild Documentation: kbuild: Add description of git for reproducible builds 2022-10-28 00:16:29 +09:00
kernel-hacking Documentation: Fix spelling mistake in hacking.rst 2022-10-24 11:27:51 -06:00
leds
litmus-tests
livepatch
locking Remove duplicate words inside documentation 2022-09-27 13:21:43 -06:00
loongarch docs/LoongArch: Add booting description 2022-12-08 14:59:15 +08:00
m68k
maintainer
mhi
mips
misc-devices
mm mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM 2023-06-14 11:15:29 +02:00
netlabel
networking xsk: Honor SO_BINDTODEVICE on bind 2023-07-19 16:22:05 +02:00
nios2
nvdimm
openrisc
parisc
PCI
pcmcia
peci
power
powerpc powerpc/64s: update cpu selection options 2022-09-28 19:22:10 +10:00
process docs: Set minimal gtags / GNU GLOBAL version to 6.6.5 2023-07-05 18:27:38 +01:00
RCU There's not a huge amount of activity in the docs tree this time around, 2022-10-03 10:23:32 -07:00
riscv riscv: Move early dtb mapping into the fixmap region 2023-05-01 08:26:28 +09:00
rust x86: enable initial Rust support 2022-09-28 09:02:45 +02:00
s390 vfio/mdev: embedd struct mdev_parent in the parent data structure 2022-10-04 12:06:58 -06:00
scheduler docs: scheduler: Update new path for the sysctl knobs 2022-09-27 13:21:42 -06:00
scsi
security KEYS: encrypted: fix key instantiation with user-provided data 2022-12-21 17:48:11 +01:00
sh
sound ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard 2023-04-20 12:35:05 +02:00
sparc
sphinx docs: Fix the docs build with Sphinx 6.0 2023-01-18 11:58:10 +01:00
sphinx-static
spi
staging docs: put atomic*.txt and memory-barriers.txt into the core-api book 2022-09-29 12:55:06 -06:00
target
timers
tools A handful of relatively simple documentation fixes, plus a set of patches 2022-10-13 10:58:32 -07:00
trace attr: use consistent sgid stripping checks 2023-03-03 11:52:25 +01:00
translations docs/zh_CN: Add LoongArch booting description's translation 2022-12-08 15:03:14 +08:00
usb
userspace-api media fixes for v6.1-rc2 2022-10-22 15:30:15 -07:00
virt KVM: s390: disable migration mode when dirty tracking is disabled 2023-03-10 09:34:05 +01:00
w1 Documentation: W1: minor typo corrections 2022-09-27 13:21:44 -06:00
watchdog
x86 x86/sev: Add SEV-SNP guest feature negotiation support 2023-02-01 08:34:50 +01:00
xtensa
.gitignore
arch.rst
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py There's not a huge amount of activity in the docs tree this time around, 2022-10-03 10:23:32 -07:00
docutils.conf
dontdiff
index.rst Rust introduction for v6.1-rc1 2022-10-03 16:39:37 -07:00
Kconfig
Makefile
memory-barriers.txt
SubmittingPatches
subsystem-apis.rst docs: Rewrite the front page 2022-09-29 12:55:06 -06:00