On Wed, 7 Aug 2019 at 06:24, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > a) Those that, by design, control privileged operations. This > includes most attach calls, but it also includes allow_ptr_leaks, > bpf_probe_read(), and quite a few other things. It also includes all > of the by_id calls, I think, unless some clever modification to the > way they worked would isolate different users' objects. I think that > persistent objects can do pretty much everything that by_id users > would need, so this isn't a big deal. Slightly OT, since this is an implementation question: GET_MAP_FD_BY_ID is useful to iterate a nested map. This isn't covered by rights to persistent objects, so it would need some thought. -- Lorenz Bauer | Systems Engineer 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK www.cloudflare.com
