In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so attr.kern_version must be exactly equal to what the user is running at the moment. This makes a lot of sense because kprobes can touch lots of unstable bits of the kernel ABI.
Unfortunately, this makes it really difficult to ship binary bpf programs for debugging, and most customers don't want to go through all the steps of preparing for compilation and installation of bpf programs for their specific kernel that was shipped by their vendor. This is especially problematic when the probe is touching only stable ABIs (syscalls), or alternatively is just logging performance events. I realize that we can change this section pretty easily by reading the version at load time and modifying it, but it's kind of a pain. For programs that we know are safe, is there a mechanism by which we can bypass this check, and tell the loader that we know what we're doing since these programs are only accessible to CAP_SYS_ADMIN?
