bpf: Use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision (!1379) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Yauheni Kaliuta requested to merge ykaliuta/centos-stream-9:cap_bpf into main Sep 19, 2022

bpf: Use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision

Bugzilla: http://bugzilla.redhat.com/2063058

The full CAP_SYS_ADMIN requirement for blinding looks too strict nowadays. These days given unprivileged BPF is disabled by default, the main users for constant blinding coming from unprivileged in particular via cBPF -> eBPF migration (e.g. old-style socket filters).

Signed-off-by: Yauheni Kaliuta ykaliuta@redhat.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Link: https://lore.kernel.org/bpf/20220831090655.156434-1-ykaliuta@redhat.com Link: https://lore.kernel.org/bpf/20220905090149.61221-1-ykaliuta@redhat.com

Admin message

bpf: Use bpf_capable() instead of CAP_SYS_ADMIN for blinding decision

Merge request reports