bpf.2: Change note on unprivileged access

This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN under some circumstances. Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-07-29 14:58:43 +02:00 · 2019-07-29 14:58:43 +02:00 · 821bf91cf6
parent 2a2b2a5dd7
commit 821bf91cf6
1 changed files with 20 additions and 2 deletions
--- a/man2/bpf.2
+++ b/man2/bpf.2
@ -1120,11 +1120,29 @@ The
 .BR bpf ()
 system call is Linux-specific.
 .SH NOTES
-In the current implementation, all
+Prior to Linux 4.4, all
 .BR bpf ()
 commands require the caller to have the
 .B CAP_SYS_ADMIN
-capability.
+capability. From 4.4 onwards an unprivileged user may create limited
+programs of type
+.BR BPF_PROG_TYPE_SOCKET_FILTER
+and associated maps. However they may not store kernel pointers within
+the maps and are presently limited to the following helper functions:
+.IP * 3
+get_random
+.PD 0
+.IP *
+get_smp_processor_id
+.IP *
+tail_call
+.IP *
+ktime_get_ns
+.PD 1
+.PP
+Unprivileged access may be blocked by setting the sysctl
+.IR /proc/sys/kernel/unprivileged_bpf_disabled .
+.\" commit 1be7f75d1668d6296b80bf35dcf6762393530afc
 .PP
 eBPF objects (maps and programs) can be shared between processes.
 For example, after