Hello Michael, Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> writes: > Hello Richard, > > On 7/29/19 2:58 PM, Richard Palethorpe wrote: >> This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN >> under some circumstances. > > Thanks. I have (at last) applied this patch. :-) > > In Linux 4.4, the allowed BPF helper functions that could > be called was, I think, governed by a check in sk_filter_func_proto(). > Nowadays (Linux 5.6), it is, I think, governed by the check in > sk_filter_func_proto(). If that is the case, then probably there It looks like bpf_base_func_proto() and sk_filter_func_proto(). Possibly also cg_skb_func_proto() because it seems normal users can also attach a cgroup skb filter program type (looking at bpf_prog_load() in syscall.c for 5.7). > are one or two more helper functions to be added to the list > (e.g., get_numa_node_id, map_push_elem, map_pop_elem). > Do you agree with my analysis? Yes, at least those. IMO this is such a fast moving target it might be best to direct users towards <linux/bpf.h>. > > Thanks, > > Michael > >> Signed-off-by: Richard Palethorpe <rpalethorpe@xxxxxxxx> >> --- >> man2/bpf.2 | 22 ++++++++++++++++++++-- >> 1 file changed, 20 insertions(+), 2 deletions(-) >> >> diff --git a/man2/bpf.2 b/man2/bpf.2 >> index b5c0869ae..a57ed9086 100644 >> --- a/man2/bpf.2 >> +++ b/man2/bpf.2 >> @@ -1120,11 +1120,29 @@ The >> .BR bpf () >> system call is Linux-specific. >> .SH NOTES >> -In the current implementation, all >> +Prior to Linux 4.4, all >> .BR bpf () >> commands require the caller to have the >> .B CAP_SYS_ADMIN >> -capability. >> +capability. From 4.4 onwards an unprivileged user may create limited >> +programs of type >> +.BR BPF_PROG_TYPE_SOCKET_FILTER >> +and associated maps. However they may not store kernel pointers within >> +the maps and are presently limited to the following helper functions: >> +.IP * 3 >> +get_random >> +.PD 0 >> +.IP * >> +get_smp_processor_id >> +.IP * >> +tail_call >> +.IP * >> +ktime_get_ns >> +.PD 1 >> +.PP >> +Unprivileged access may be blocked by setting the sysctl >> +.IR /proc/sys/kernel/unprivileged_bpf_disabled . >> +.\" commit 1be7f75d1668d6296b80bf35dcf6762393530afc >> .PP >> eBPF objects (maps and programs) can be shared between processes. >> For example, after >> -- Thank you, Richard.
