Skip to content

Commit f300769

Browse files
author
James Morse
committed
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless. Signed-off-by: James Morse <james.morse@arm.com> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
1 parent 0dfefc2 commit f300769

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

arch/arm64/net/bpf_jit_comp.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -952,6 +952,9 @@ static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
952952
arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
953953
return;
954954

955+
if (capable(CAP_SYS_ADMIN))
956+
return;
957+
955958
if (supports_clearbhb(SCOPE_SYSTEM)) {
956959
emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
957960
return;

0 commit comments

Comments
 (0)