'Re: [PATCH v2 bpf-next 2/3] bpf: implement CAP_BPF'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-api
Subject:    Re: [PATCH v2 bpf-next 2/3] bpf: implement CAP_BPF
From:       Nicolas Dichtel <nicolas.dichtel () 6wind ! com>
Date:       2019-08-30 15:19:02
Message-ID: 59ac111e-7ce7-5e00-32c9-9b55482fe701 () 6wind ! com
[Download RAW message or body]

Le 29/08/2019 Ă  19:30, Alexei Starovoitov a ĂŠcrit  :
[snip]
> These are the links that showing that k8 can delegates caps.
> Are you saying that you know of folks who specifically
> delegate cap_sys_admin and cap_net_admin _only_ to a container to run bpf in there?
> 
Yes, we need cap_sys_admin only to load bpf:
tc filter add dev eth0 ingress matchall action bpf obj ./tc_test_kern.o sec test

I'm not sure to understand why cap_net_admin is not enough to run the previous
command (ie why load is forbidden).

I want to avoid sys_admin, thus cap_bpf will be ok. But we need to manage the
backward compatibility.

Regards,
Nicolas
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic