exit
fi
done
-From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Tue, 26 Apr 2016 22:26:26 +0200
-Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
-
-When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
-references a non-map file descriptor as a map file descriptor, the error
-handling code called fdput() twice instead of once (in __bpf_map_get() and
-in replace_map_fd_with_map_ptr()). If the file descriptor table of the
-current task is shared, this causes f_count to be decremented too much,
-allowing the struct file to be freed while it is still in use
-(use-after-free). This can be exploited to gain root privileges by an
-unprivileged user.
-
-This bug was introduced in
-commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
-exploitable since
-commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
-previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
-
-(posted publicly according to request by maintainer)
-
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- kernel/bpf/verifier.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 618ef77..db2574e 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
- if (IS_ERR(map)) {
- verbose("fd %d is not pointing to valid bpf_map\n",
- insn->imm);
-- fdput(f);
- return PTR_ERR(map);
- }
+--- linux-4.14/security/selinux/include/classmap.h 2017-11-12 19:46:13.000000000 +0100
++++ linux-4.20/security/selinux/include/classmap.h 2018-12-24 00:55:59.000000000 +0100
+@@ -238,9 +238,11 @@
+ { "access", NULL } },
+ { "infiniband_endport",
+ { "manage_subnet", NULL } },
++ { "xdp_socket",
++ { COMMON_SOCK_PERMS, NULL } },
+ { NULL }
+ };
---
-cgit v0.12
-
+-#if PF_MAX > 44
++#if PF_MAX > 45
+ #error New address family defined, please update secclass_map.
+ #endif