From patchwork Thu Apr 13 08:50:32 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Young <sean@mess.org>
X-Patchwork-Id: 674376
Return-Path: <linux-media-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 77924C77B6E
 for <linux-media@archiver.kernel.org>; Thu, 13 Apr 2023 08:50:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229648AbjDMIuf (ORCPT <rfc822;linux-media@archiver.kernel.org>);
 Thu, 13 Apr 2023 04:50:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46378 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229580AbjDMIuf (ORCPT
 <rfc822;linux-media@vger.kernel.org>);
 Thu, 13 Apr 2023 04:50:35 -0400
Received: from gofer.mess.org (gofer.mess.org [88.97.38.141])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA8F97DA5;
 Thu, 13 Apr 2023 01:50:33 -0700 (PDT)
Received: by gofer.mess.org (Postfix, from userid 1000)
 id 827DD10006C; Thu, 13 Apr 2023 09:50:32 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mess.org; s=2020;
 t=1681375832; bh=cjjs7O5NakfwtXtoeoEFfJIPF9km/TVa8zs1rP16FAk=;
 h=From:To:Cc:Subject:Date:From;
 b=lxrwJJEoZQ1Bw3gJ2MfFL13Cda/Y2xL414/5xSWROD6mTWLC8HIICKsWxVPvKpkv3
 JWhlnyqv7gPGaZsktX4+awhRIwpZ/vwSEuN9YpKi837orGkfRG4FTRofnDFcCIboNP
 1OBwJU7dWi2TMb/JeU7Fxhjl7uON3WjfOa1dNZO4pG20evP/g5DTsWSIamugyyfxud
 zAE3PZ8sKVPsZHNMvowl5PHfkFlrUnj6ZutyogKjYhiJFIqS42GGG0FaGRWrSKkF5P
 N3PUuW+sJ433A1VmIUpbvI7ALqdWSrXvSpP+3AJlmQAGhIb0A7V5aR/XxVxYcOX43L
 mMmY0r26RxFkw==
From: Sean Young <sean@mess.org>
To: linux-media@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: [PATCH v2] media: rc: bpf attach/detach requires write permission
Date: Thu, 13 Apr 2023 09:50:32 +0100
Message-Id: <20230413085032.709757-1-sean@mess.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

Note that bpf attach/detach also requires CAP_NET_ADMIN.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/media/rc/bpf-lirc.c     | 6 +++---
 drivers/media/rc/lirc_dev.c     | 5 ++++-
 drivers/media/rc/rc-core-priv.h | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
index fe17c7f98e81..52d82cbe7685 100644
--- a/drivers/media/rc/bpf-lirc.c
+++ b/drivers/media/rc/bpf-lirc.c
@@ -253,7 +253,7 @@ int lirc_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog)
 	if (attr->attach_flags)
 		return -EINVAL;
 
-	rcdev = rc_dev_get_from_fd(attr->target_fd);
+	rcdev = rc_dev_get_from_fd(attr->target_fd, true);
 	if (IS_ERR(rcdev))
 		return PTR_ERR(rcdev);
 
@@ -278,7 +278,7 @@ int lirc_prog_detach(const union bpf_attr *attr)
 	if (IS_ERR(prog))
 		return PTR_ERR(prog);
 
-	rcdev = rc_dev_get_from_fd(attr->target_fd);
+	rcdev = rc_dev_get_from_fd(attr->target_fd, true);
 	if (IS_ERR(rcdev)) {
 		bpf_prog_put(prog);
 		return PTR_ERR(rcdev);
@@ -303,7 +303,7 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
 	if (attr->query.query_flags)
 		return -EINVAL;
 
-	rcdev = rc_dev_get_from_fd(attr->query.target_fd);
+	rcdev = rc_dev_get_from_fd(attr->query.target_fd, false);
 	if (IS_ERR(rcdev))
 		return PTR_ERR(rcdev);
 
diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 25ab61dae126..d9b316eb86dd 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -810,7 +810,7 @@ void __exit lirc_dev_exit(void)
 	unregister_chrdev_region(lirc_base_dev, RC_DEV_MAX);
 }
 
-struct rc_dev *rc_dev_get_from_fd(int fd)
+struct rc_dev *rc_dev_get_from_fd(int fd, bool write)
 {
 	struct fd f = fdget(fd);
 	struct lirc_fh *fh;
@@ -824,6 +824,9 @@ struct rc_dev *rc_dev_get_from_fd(int fd)
 		return ERR_PTR(-EINVAL);
 	}
 
+	if (write && !(f.file->f_mode & FMODE_WRITE))
+		return ERR_PTR(-EPERM);
+
 	fh = f.file->private_data;
 	dev = fh->rc;
 
diff --git a/drivers/media/rc/rc-core-priv.h b/drivers/media/rc/rc-core-priv.h
index ef1e95e1af7f..7df949fc65e2 100644
--- a/drivers/media/rc/rc-core-priv.h
+++ b/drivers/media/rc/rc-core-priv.h
@@ -325,7 +325,7 @@ void lirc_raw_event(struct rc_dev *dev, struct ir_raw_event ev);
 void lirc_scancode_event(struct rc_dev *dev, struct lirc_scancode *lsc);
 int lirc_register(struct rc_dev *dev);
 void lirc_unregister(struct rc_dev *dev);
-struct rc_dev *rc_dev_get_from_fd(int fd);
+struct rc_dev *rc_dev_get_from_fd(int fd, bool write);
 #else
 static inline int lirc_dev_init(void) { return 0; }
 static inline void lirc_dev_exit(void) {}