On Thu, Jun 18, 2020 at 3:20 AM Maciej Żenczykowski <zenczykowski@xxxxxxxxx> wrote: > > John has all the details. I'm just guessing. > > But having actually looked at the code, commit 2c78ee898d8f1 ie. > > kernel/bpf/syscall.c: bpf_prog_load() > + if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN)) > + return -EPERM; > > looks fishy, since our bpfloader only has CHOWN SYS_ADMIN, and the > maps/programs it creates/loads are used by netd which only has > NET_ADMIN (but not SYS_ADMIN). Furthermore I don't really want to > grant it NET_ADMIN. > > I think this should again be either NET_ADMIN or SYS_ADMIN. Just to confirm, reverting 2c78ee898d8f1 (which doesn't revert perfectly cleanly) seems to avoid the failure I was seeing. And specifically in the chunk Maciej pointed out above, if we just switch the check to CAP_SYS_ADMIN it also avoids the problem. Let me know if there is anything folks would like me to test! thanks -john
