On Thu, Sep 05, 2019 at 10:37:03AM +0200, Daniel Borkmann wrote:
> On 9/4/19 5:21 PM, Alexei Starovoitov wrote:
> > On 9/4/19 8:16 AM, Daniel Borkmann wrote:
> > > opening/creating BPF maps" error="Unable to create map
> > > /run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted"
> > > su
On 9/4/19 5:21 PM, Alexei Starovoitov wrote:
On 9/4/19 8:16 AM, Daniel Borkmann wrote:
opening/creating BPF maps" error="Unable to create map
/run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted"
subsys=daemon
2019-09-04T14:11:47.28178666Z level=fatal msg="Error while creating
daemon
On 9/4/19 8:16 AM, Daniel Borkmann wrote:
> opening/creating BPF maps" error="Unable to create map
> /run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted"
> subsys=daemon
> 2019-09-04T14:11:47.28178666Z level=fatal msg="Error while creating
> daemon" error="Unable to create map
> /r
On 9/4/19 3:39 AM, Alexei Starovoitov wrote:
On 8/30/19 8:19 AM, Nicolas Dichtel wrote:
Le 29/08/2019 à 19:30, Alexei Starovoitov a écrit :
[snip]
These are the links that showing that k8 can delegates caps.
Are you saying that you know of folks who specifically
delegate cap_sys_admin and cap_n
On 8/30/19 8:19 AM, Nicolas Dichtel wrote:
> Le 29/08/2019 à 19:30, Alexei Starovoitov a écrit :
> [snip]
>> These are the links that showing that k8 can delegates caps.
>> Are you saying that you know of folks who specifically
>> delegate cap_sys_admin and cap_net_admin _only_ to a container to ru
Le 29/08/2019 à 19:30, Alexei Starovoitov a écrit :
[snip]
> These are the links that showing that k8 can delegates caps.
> Are you saying that you know of folks who specifically
> delegate cap_sys_admin and cap_net_admin _only_ to a container to run bpf in
> there?
>
Yes, we need cap_sys_admin o
On Thu, Aug 29, 2019 at 05:32:27PM +0200, Daniel Borkmann wrote:
> On 8/29/19 7:12 AM, Alexei Starovoitov wrote:
> > Implement permissions as stated in uapi/linux/capability.h
> >
> > Note that CAP_SYS_ADMIN is replaced with CAP_BPF.
> > All existing applications that use BPF do not drop all caps
On Thu, Aug 29, 2019 at 06:04:42AM +, Song Liu wrote:
>
>
> > On Aug 28, 2019, at 10:12 PM, Alexei Starovoitov wrote:
> >
>
> [...]
>
> > diff --git a/tools/testing/selftests/bpf/test_verifier.c
> > b/tools/testing/selftests/bpf/test_verifier.c
> > index 44e2d640b088..91a7f25512ca 100644
On 8/29/19 7:12 AM, Alexei Starovoitov wrote:
Implement permissions as stated in uapi/linux/capability.h
Note that CAP_SYS_ADMIN is replaced with CAP_BPF.
All existing applications that use BPF do not drop all caps
and keep only CAP_SYS_ADMIN before doing bpf() syscall.
Hence it's highly unlikel
> On Aug 28, 2019, at 10:12 PM, Alexei Starovoitov wrote:
>
[...]
> diff --git a/tools/testing/selftests/bpf/test_verifier.c
> b/tools/testing/selftests/bpf/test_verifier.c
> index 44e2d640b088..91a7f25512ca 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/se
10 matches
Mail list logo
