On Thu, Aug 29, 2019 at 8:47 AM Daniel Borkmann wrote:
>
> On 8/29/19 7:12 AM, Alexei Starovoitov wrote:
> [...]
> >
> > +/*
> > + * CAP_BPF allows the following BPF operations:
> > + * - Loading all types of BPF programs
> > + * - Creating all types of BPF maps except:
> > + *- stackmap that
On Thu, Aug 29, 2019 at 10:25:30PM +0200, Jesper Dangaard Brouer wrote:
> On Thu, 29 Aug 2019 20:05:49 +0200
> Toke Høiland-Jørgensen wrote:
>
> > Alexei Starovoitov writes:
> >
> > > On Thu, Aug 29, 2019 at 09:44:18AM +0200, Toke Høiland-Jørgensen wrote:
> > >> Alexei Starovoitov writes:
>
On Thu, 29 Aug 2019 20:05:49 +0200
Toke Høiland-Jørgensen wrote:
> Alexei Starovoitov writes:
>
> > On Thu, Aug 29, 2019 at 09:44:18AM +0200, Toke Høiland-Jørgensen wrote:
> >> Alexei Starovoitov writes:
> >>
> >> > CAP_BPF allows the following BPF operations:
> >> > - Loading all types o
Alexei Starovoitov writes:
> On Thu, Aug 29, 2019 at 09:44:18AM +0200, Toke Høiland-Jørgensen wrote:
>> Alexei Starovoitov writes:
>>
>> > CAP_BPF allows the following BPF operations:
>> > - Loading all types of BPF programs
>> > - Creating all types of BPF maps except:
>> >- stackmap that
On Thu, Aug 29, 2019 at 03:36:42PM +0200, Nicolas Dichtel wrote:
> Le 29/08/2019 à 07:12, Alexei Starovoitov a écrit :
> [snip]
> > CAP_BPF and CAP_NET_ADMIN together allow the following:
> > - Attach to cgroup-bpf hooks and query
> > - skb, xdp, flow_dissector test_run command
> >
> > CAP_NET_ADM
On Thu, Aug 29, 2019 at 09:44:18AM +0200, Toke Høiland-Jørgensen wrote:
> Alexei Starovoitov writes:
>
> > CAP_BPF allows the following BPF operations:
> > - Loading all types of BPF programs
> > - Creating all types of BPF maps except:
> >- stackmap that needs CAP_TRACING
> >- devmap tha
> On Aug 29, 2019, at 8:47 AM, Daniel Borkmann wrote:
>
>> On 8/29/19 7:12 AM, Alexei Starovoitov wrote:
>> [...]
>> +/*
>> + * CAP_BPF allows the following BPF operations:
>> + * - Loading all types of BPF programs
>> + * - Creating all types of BPF maps except:
>> + *- stackmap that needs C
On 8/29/19 7:12 AM, Alexei Starovoitov wrote:
[...]
+/*
+ * CAP_BPF allows the following BPF operations:
+ * - Loading all types of BPF programs
+ * - Creating all types of BPF maps except:
+ *- stackmap that needs CAP_TRACING
+ *- devmap that needs CAP_NET_ADMIN
+ *- cpumap that n
Le 29/08/2019 à 07:12, Alexei Starovoitov a écrit :
[snip]
> CAP_BPF and CAP_NET_ADMIN together allow the following:
> - Attach to cgroup-bpf hooks and query
> - skb, xdp, flow_dissector test_run command
>
> CAP_NET_ADMIN allows:
> - Attach networking bpf programs to xdp, tc, lwt, flow dissector
I
Alexei Starovoitov writes:
> CAP_BPF allows the following BPF operations:
> - Loading all types of BPF programs
> - Creating all types of BPF maps except:
>- stackmap that needs CAP_TRACING
>- devmap that needs CAP_NET_ADMIN
>- cpumap that needs CAP_SYS_ADMIN
Why CAP_SYS_ADMIN instea
> On Aug 28, 2019, at 10:12 PM, Alexei Starovoitov wrote:
>
[...]
> - Creation of [ku][ret]probe
> - Accessing arbitrary kernel memory via kprobe + probe_kernel_read
> - Attach tracing bpf programs to perf events
> - Access to kallsyms
>
> Signed-off-by: Alexei Starovoitov
Acked-by: Song L
CAP_BPF allows the following BPF operations:
- Loading all types of BPF programs
- Creating all types of BPF maps except:
- stackmap that needs CAP_TRACING
- devmap that needs CAP_NET_ADMIN
- cpumap that needs CAP_SYS_ADMIN
- Advanced verifier features
- Indirect variable access
- Boun
12 matches
Mail list logo
