Since c8644cd0e, BPF permissions are indirectly checked by having a
program FD or bpffs ACL. When using BPF_PROG_DETACH command on TCX or
netkit device, it's not required to provide a program FD. Instead, the
program can be specified using a relative specifier (eg., BPF_F_AFTER).

In this case, there is no permission check as there is no FD involved,
so any user can execute that detach command. This is problematic when
BPF is used to filter out packets not intended to user as it can just
remove the filter from the network interface.

For this reason, require CAP_NET_ADMIN or CAP_SYS_ADMIN in detach (only
when the BPF program FD isn't provided).

Signed-off-by: Guillaume GONNET <ggonnet.linux@gmail.com>
---
 kernel/bpf/syscall.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 3c5c03d43f5f..d1600aef6e03 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4563,6 +4563,8 @@ static int bpf_prog_detach(const union bpf_attr *attr)
 			prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
 			if (IS_ERR(prog))
 				return PTR_ERR(prog);
+		} else if (!bpf_net_capable()) {
+			return -EPERM;
 		}
 	} else if (is_cgroup_prog_type(ptype, 0, false)) {
 		if (attr->attach_flags || attr->relative_fd)
-- 
2.34.1