On Wed, May 24, 2023 at 3:55 PM Andrii Nakryiko <andrii@xxxxxxxxxx> wrote: > > Getting ID of map/prog/btf/link doesn't give any access to underlying > BPF objects, so there is no point in requiring CAP_SYS_ADMIN for these > commands. I don't think it's a good idea to allow unpriv to figure out all prog/map/btf/link IDs. Since unpriv is typically disabled it's not a security issue, but rather a concern over abuse of IDR logic and potential for exploits in *get_next_id() code. At least CAP_BPF is needed.
