On Tue, Nov 29, 2022 at 8:16 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > In the containerized envriomentation, if a container is not > privileged but with CAP_BPF, it is not easy to debug bpf created in this > container, let alone using bpftool. Because these bpf objects are > invisible if they are not pinned in bpffs. Currently we have to > interact with the process which creates these bpf objects to get the > information. It may be better if we can control the access to each > object the same way as we control the file in bpffs, but now I think we > should allow the accessibility of these objects with CAP_BPF. > > Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx> > --- > kernel/bpf/syscall.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > As far as I can tell, requiring CAP_SYS_ADMIN on iterating IDs and converting IDs to FDs is intended and is an important design in BPF's security model [1]. So this change does not look good. >From the commit message, I'm not clear how BPF is debugged in containers in your use case. Maybe the debugging process should be required to have CAP_SYS_ADMIN? [1] https://lore.kernel.org/bpf/20200513230355.7858-1-alexei.starovoitov@xxxxxxxxx/
