Hello Richard, On 7/29/19 2:58 PM, Richard Palethorpe wrote: > This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN > under some circumstances. Thanks. I have (at last) applied this patch. In Linux 4.4, the allowed BPF helper functions that could be called was, I think, governed by a check in sk_filter_func_proto(). Nowadays (Linux 5.6), it is, I think, governed by the check in sk_filter_func_proto(). If that is the case, then probably there are one or two more helper functions to be added to the list (e.g., get_numa_node_id, map_push_elem, map_pop_elem). Do you agree with my analysis? Thanks, Michael > Signed-off-by: Richard Palethorpe <rpalethorpe@xxxxxxxx> > --- > man2/bpf.2 | 22 ++++++++++++++++++++-- > 1 file changed, 20 insertions(+), 2 deletions(-) > > diff --git a/man2/bpf.2 b/man2/bpf.2 > index b5c0869ae..a57ed9086 100644 > --- a/man2/bpf.2 > +++ b/man2/bpf.2 > @@ -1120,11 +1120,29 @@ The > .BR bpf () > system call is Linux-specific. > .SH NOTES > -In the current implementation, all > +Prior to Linux 4.4, all > .BR bpf () > commands require the caller to have the > .B CAP_SYS_ADMIN > -capability. > +capability. From 4.4 onwards an unprivileged user may create limited > +programs of type > +.BR BPF_PROG_TYPE_SOCKET_FILTER > +and associated maps. However they may not store kernel pointers within > +the maps and are presently limited to the following helper functions: > +.IP * 3 > +get_random > +.PD 0 > +.IP * > +get_smp_processor_id > +.IP * > +tail_call > +.IP * > +ktime_get_ns > +.PD 1 > +.PP > +Unprivileged access may be blocked by setting the sysctl > +.IR /proc/sys/kernel/unprivileged_bpf_disabled . > +.\" commit 1be7f75d1668d6296b80bf35dcf6762393530afc > .PP > eBPF objects (maps and programs) can be shared between processes. > For example, after > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
