On Thu, Oct 29, 2020 at 12:30:49AM +0200, Alon, Liran wrote: > > Guarding /sys/kernel/bpf/vmlinux behind CAP_PERFMON would break a lot > > of users relying on BTF availability to build their BPF applications. > True. If this patch is applied, would need to at least be behind an optin > knob. Similar to dmesg_restrict. It's not going to be applied. If a file shouldn't be read by a user it should have appropriate file permissions instead of 444. Checking capable() in read() is very non-unix way to deal with permissions.
