On Sun, Mar 26, 2023 at 2:22 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > Currently only CAP_SYS_ADMIN can iterate BPF object IDs and convert IDs > to FDs, that's intended for BPF's security model[1]. Not only does it > prevent non-privilidged users from getting other users' bpf program, but > also it prevents the user from iterating his own bpf objects. > > In container environment, some users want to run bpf programs in their > containers. These users can run their bpf programs under CAP_BPF and > some other specific CAPs, but they can't inspect their bpf programs in a > generic way. For example, the bpftool can't be used as it requires > CAP_SYS_ADMIN. That is very inconvenient. Agreed that it is important to enable tools like bpftool without CAP_SYS_ADMIN. However, I am not sure whether we need a new namespace for this. Can we reuse some existing namespace for this? If we do need a new namespace, maybe we should share some effort with tracer namespace proposal [1]? Thanks, Song [1] https://lpc.events/event/16/contributions/1237/
