On Mon, 26 Sep 2022, at 17:18, Roberto Sassu wrote: > > Uhm, if I get what you mean, you would like to add DAC controls to the > pinned map to decide if you can get a fd and with which modes. > > The problem I see is that a map exists regardless of the pinned path > (just by ID). Can you spell this out for me? I imagine you're talking about MAP_GET_FD_BY_ID, but that is CAP_SYS_ADMIN only, right? Not great maybe, but no gaping hole IMO. > DAC information should be rather added to the map object > itself. There is a form of DAC on the map, BPF_F_RDONLY_PROG and friends. You just can't stuff BPF_F_RDONLY in there since multiple fds may refer to the same map with different permissions.
