On Wed, Jun 17, 2020 at 11:43 PM Maciej Żenczykowski <zenczykowski@xxxxxxxxx> wrote: > > is > (SYS_ADMIN || BPF) && NET_ADMIN > > should this not be > SYS_ADMIN || (BPF && NET_ADMIN) > > ? capable_bpf_net_admin doesn't exist. > Won't this cause a just SYS_ADMIN process to fail to load network bpf progs? if the process has cap_sys_admin it has all privs. > (I haven't debugged this at all, but John is reporting 5.8-rc1 fails > to load bpf progs from Android's bpfloader with EPERM error) > > Or are we okay with this user space visible behavioural change? What kind of change? Could you please be more specific?
