Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> writes: > On Thu, Aug 29, 2019 at 09:44:18AM +0200, Toke Høiland-Jørgensen wrote: >> Alexei Starovoitov <ast@xxxxxxxxxx> writes: >> >> > CAP_BPF allows the following BPF operations: >> > - Loading all types of BPF programs >> > - Creating all types of BPF maps except: >> > - stackmap that needs CAP_TRACING >> > - devmap that needs CAP_NET_ADMIN >> > - cpumap that needs CAP_SYS_ADMIN >> >> Why CAP_SYS_ADMIN instead of CAP_NET_ADMIN for cpumap? > > Currently it's cap_sys_admin and I think it should stay this way > because it creates kthreads. Ah, right. I can sorta see that makes sense because of the kthreads, but it also means that you can use all of XDP *except* cpumap with CAP_NET_ADMIN+CAP_BPF. That is bound to create confusion, isn't it? -Toke
