On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter program to make
the capability requirement consistent.
Change since v1:
Change the code style in order to be compliant with checkpatch.pl
preference
Signed-off-by: Chenbo Feng <fe...@google.com>
as far as I can see they're indeed the same as socket filters, so
Acked-by: Alexei Starovoitov <a...@kernel.org>
but I don't quite understand how it helps, since as you said
attaching such unpriv fd to cgroup still requires root.
Do you have more patches to follow?
Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
then we must at least also zero out the not-yet-initialized memory
for the mac header for egress case in __cgroup_bpf_run_filter_skb().
