On Tue, Mar 28, 2023 at 3:04 AM Song Liu <song@xxxxxxxxxx> wrote: > > On Sun, Mar 26, 2023 at 2:22 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > > > Currently only CAP_SYS_ADMIN can iterate BPF object IDs and convert IDs > > to FDs, that's intended for BPF's security model[1]. Not only does it > > prevent non-privilidged users from getting other users' bpf program, but > > also it prevents the user from iterating his own bpf objects. > > > > In container environment, some users want to run bpf programs in their > > containers. These users can run their bpf programs under CAP_BPF and > > some other specific CAPs, but they can't inspect their bpf programs in a > > generic way. For example, the bpftool can't be used as it requires > > CAP_SYS_ADMIN. That is very inconvenient. > > Agreed that it is important to enable tools like bpftool without > CAP_SYS_ADMIN. However, I am not sure whether we need a new > namespace for this. Can we reuse some existing namespace for this? > It seems we can't. > If we do need a new namespace, maybe we should share some effort > with tracer namespace proposal [1]? > Thanks for your information. I will learn the tracer namespace first and try to analyze how to cooperate with it. > Thanks, > Song > > [1] https://lpc.events/event/16/contributions/1237/ -- Regards Yafang
