This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN under some circumstances. Signed-off-by: Richard Palethorpe <rpalethorpe@xxxxxxxx> --- man2/bpf.2 | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/man2/bpf.2 b/man2/bpf.2 index b5c0869ae..a57ed9086 100644 --- a/man2/bpf.2 +++ b/man2/bpf.2 @@ -1120,11 +1120,29 @@ The .BR bpf () system call is Linux-specific. .SH NOTES -In the current implementation, all +Prior to Linux 4.4, all .BR bpf () commands require the caller to have the .B CAP_SYS_ADMIN -capability. +capability. From 4.4 onwards an unprivileged user may create limited +programs of type +.BR BPF_PROG_TYPE_SOCKET_FILTER +and associated maps. However they may not store kernel pointers within +the maps and are presently limited to the following helper functions: +.IP * 3 +get_random +.PD 0 +.IP * +get_smp_processor_id +.IP * +tail_call +.IP * +ktime_get_ns +.PD 1 +.PP +Unprivileged access may be blocked by setting the sysctl +.IR /proc/sys/kernel/unprivileged_bpf_disabled . +.\" commit 1be7f75d1668d6296b80bf35dcf6762393530afc .PP eBPF objects (maps and programs) can be shared between processes. For example, after -- 2.22.0
