Le 29/08/2019 à 07:12, Alexei Starovoitov a écrit : [snip] > CAP_BPF and CAP_NET_ADMIN together allow the following: > - Attach to cgroup-bpf hooks and query > - skb, xdp, flow_dissector test_run command > > CAP_NET_ADMIN allows: > - Attach networking bpf programs to xdp, tc, lwt, flow dissector I'm not sure to understand the difference between these last two points. But, with the current kernel, CAP_NET_ADMIN is not enough to attach bpf prog with tc and it's still not enough after your patch. The following command is rejected: $ tc filter add dev eth0 ingress matchall action bpf obj ./tc_test_kern.o sec test Prog section 'test' rejected: Operation not permitted (1)! - Type: 4 - Instructions: 22 (0 over limit) - License: GPL Verifier analysis: Error fetching program/map! bad action parsing parse_action: bad value (5:bpf)! Illegal "action" $ Like Andy, I'm also wondering about the backward compatibility. With my current docker, I'm able to play with tc bpf with CAP_SYS_ADMIN. But if I update my kernel with your patches, CAP_SYS_ADMIN doesn't allow anymore that and CAP_BPF is not implemented in my current docker, thus I cannot give the correct capabilities. In other words, an old docker cannot run on a new kernel. Regards, Nicolas
