The full CAP_SYS_ADMIN requirement for blining looks too strict nowadays. These days given unpriv eBPF is disabled by default, the main users for constant blinding coming from unpriv in particular via cBPF -> eBPF migration (e.g. old-style socket filters). Discussion: https://lore.kernel.org/bpf/20220831090655.156434-1-ykaliuta@xxxxxxxxxx/ Signed-off-by: Yauheni Kaliuta <ykaliuta@xxxxxxxxxx> --- Documentation/admin-guide/sysctl/net.rst | 3 +++ include/linux/filter.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/sysctl/net.rst b/Documentation/admin-guide/sysctl/net.rst index 805f2281e000..ff1e5b5acd28 100644 --- a/Documentation/admin-guide/sysctl/net.rst +++ b/Documentation/admin-guide/sysctl/net.rst @@ -101,6 +101,9 @@ Values: - 1 - enable JIT hardening for unprivileged users only - 2 - enable JIT hardening for all users +where "privileged user" in this context means a process having +CAP_BPF or CAP_SYS_ADMIN in the root user name space. + bpf_jit_kallsyms ---------------- diff --git a/include/linux/filter.h b/include/linux/filter.h index 527ae1d64e27..75335432fcbc 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -1099,7 +1099,7 @@ static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog) return false; if (!bpf_jit_harden) return false; - if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN)) + if (bpf_jit_harden == 1 && bpf_capable()) return false; return true; -- 2.34.1
