On Thu, Aug 29, 2019 at 03:36:42PM +0200, Nicolas Dichtel wrote: > Le 29/08/2019 à 07:12, Alexei Starovoitov a écrit : > [snip] > > CAP_BPF and CAP_NET_ADMIN together allow the following: > > - Attach to cgroup-bpf hooks and query > > - skb, xdp, flow_dissector test_run command > > > > CAP_NET_ADMIN allows: > > - Attach networking bpf programs to xdp, tc, lwt, flow dissector > I'm not sure to understand the difference between these last two points. > But, with the current kernel, CAP_NET_ADMIN is not enough to attach bpf prog > with tc and it's still not enough after your patch. > The following command is rejected: > $ tc filter add dev eth0 ingress matchall action bpf obj ./tc_test_kern.o sec test > > Prog section 'test' rejected: Operation not permitted (1)! > - Type: 4 > - Instructions: 22 (0 over limit) > - License: GPL > > Verifier analysis: > > Error fetching program/map! > bad action parsing > parse_action: bad value (5:bpf)! > Illegal "action" because tc/iproute2 is doing load and attach. Currently load needs cap_sys_admin and attach needs cap_net_admin.
