In the containerized envriomentation, if a container is not privileged but with CAP_BPF, it is not easy to debug bpf created in this container, let alone using bpftool. Because these bpf objects are invisible if they are not pinned in bpffs. Currently we have to interact with the process which creates these bpf objects to get the information. It may be better if we can control the access to each object the same way as we control the file in bpffs, but now I think we should allow the accessibility of these objects with CAP_BPF. Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx> --- kernel/bpf/syscall.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 35972afb6850..9cd6b41e2d2b 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -3660,7 +3660,7 @@ static int bpf_obj_get_next_id(const union bpf_attr *attr, if (CHECK_ATTR(BPF_OBJ_GET_NEXT_ID) || next_id >= INT_MAX) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (!bpf_capable()) return -EPERM; next_id++; @@ -3741,7 +3741,7 @@ static int bpf_prog_get_fd_by_id(const union bpf_attr *attr) if (CHECK_ATTR(BPF_PROG_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (!bpf_capable()) return -EPERM; prog = bpf_prog_by_id(id); @@ -3768,7 +3768,7 @@ static int bpf_map_get_fd_by_id(const union bpf_attr *attr) attr->open_flags & ~BPF_OBJ_FLAG_MASK) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (!bpf_capable()) return -EPERM; f_flags = bpf_get_file_flag(attr->open_flags); @@ -4345,7 +4345,7 @@ static int bpf_btf_get_fd_by_id(const union bpf_attr *attr) if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (!bpf_capable()) return -EPERM; return btf_get_fd_by_id(attr->btf_id); @@ -4769,7 +4769,7 @@ static int bpf_link_get_fd_by_id(const union bpf_attr *attr) if (CHECK_ATTR(BPF_LINK_GET_FD_BY_ID)) return -EINVAL; - if (!capable(CAP_SYS_ADMIN)) + if (!bpf_capable()) return -EPERM; link = bpf_link_by_id(id); -- 2.30.1 (Apple Git-130)
