[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-api
Subject: Re: [PATCH v2 bpf-next 2/3] bpf: implement CAP_BPF
From: Nicolas Dichtel <nicolas.dichtel () 6wind ! com>
Date: 2019-08-30 15:19:02
Message-ID: 59ac111e-7ce7-5e00-32c9-9b55482fe701 () 6wind ! com
[Download RAW message or body]
Le 29/08/2019 à 19:30, Alexei Starovoitov a écrit :
[snip]
> These are the links that showing that k8 can delegates caps.
> Are you saying that you know of folks who specifically
> delegate cap_sys_admin and cap_net_admin _only_ to a container to run bpf in there?
>
Yes, we need cap_sys_admin only to load bpf:
tc filter add dev eth0 ingress matchall action bpf obj ./tc_test_kern.o sec test
I'm not sure to understand why cap_net_admin is not enough to run the previous
command (ie why load is forbidden).
I want to avoid sys_admin, thus cap_bpf will be ok. But we need to manage the
backward compatibility.
Regards,
Nicolas
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic