mirror of https://github.com/mkerrisk/man-pages
bpf.2: Change note on unprivileged access
This notes that the kernel now allows calls to bpf() without CAP_SYS_ADMIN under some circumstances. Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2a2b2a5dd7
commit
821bf91cf6
22
man2/bpf.2
22
man2/bpf.2
|
@ -1120,11 +1120,29 @@ The
|
|||
.BR bpf ()
|
||||
system call is Linux-specific.
|
||||
.SH NOTES
|
||||
In the current implementation, all
|
||||
Prior to Linux 4.4, all
|
||||
.BR bpf ()
|
||||
commands require the caller to have the
|
||||
.B CAP_SYS_ADMIN
|
||||
capability.
|
||||
capability. From 4.4 onwards an unprivileged user may create limited
|
||||
programs of type
|
||||
.BR BPF_PROG_TYPE_SOCKET_FILTER
|
||||
and associated maps. However they may not store kernel pointers within
|
||||
the maps and are presently limited to the following helper functions:
|
||||
.IP * 3
|
||||
get_random
|
||||
.PD 0
|
||||
.IP *
|
||||
get_smp_processor_id
|
||||
.IP *
|
||||
tail_call
|
||||
.IP *
|
||||
ktime_get_ns
|
||||
.PD 1
|
||||
.PP
|
||||
Unprivileged access may be blocked by setting the sysctl
|
||||
.IR /proc/sys/kernel/unprivileged_bpf_disabled .
|
||||
.\" commit 1be7f75d1668d6296b80bf35dcf6762393530afc
|
||||
.PP
|
||||
eBPF objects (maps and programs) can be shared between processes.
|
||||
For example, after
|
||||
|
|
Loading…
Reference in New Issue