On Sat, Jun 10, 2023 at 03:26:18PM +0000, Yi He wrote: > The default value of sysctl_offensive_bpf_disabled is 0, which means > all the five helpers are enabled. By setting sysctl_offensive_bpf_disabled > to 1, these helpers cannot be used util a reboot. By setting it to 2, > these helpers cannot be used but privieleged users can modify this flag > to 0. That's just a nightmare API. The right thing is to not allow program types that can use the helpers from anything but a global fully privileged context. And offensive is in this context a really weird term. Nothing is offensive here, invasive or allowing to change kernel state might be better terms.
