On Mon, 22 Jul 2019 at 21:54, Song Liu <songliubraving@xxxxxx> wrote: > > Hi Andy, Lorenz, and all, > > With 5.3-rc1 out, I am back on this. :) > > How about we modify the set as: > 1. Introduce sys_bpf_with_cap() that takes fd of /dev/bpf. > 2. Better handling of capable() calls through bpf code. I guess the > biggest problem here is is_priv in verifier.c:bpf_check(). > > With this approach, we will be able to pass the fd around, so it should > also solve problem for Go. Thanks for picking this up again. I need to figure out what the API for this would look like on the Go side, but I think it's a nice solution! Lorenz -- Lorenz Bauer | Systems Engineer 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK www.cloudflare.com
