* bpf_jit_blinding_enabled capabilities
@ 2022-06-02 10:11 Yauheni Kaliuta
0 siblings, 0 replies; only message in thread
From: Yauheni Kaliuta @ 2022-06-02 10:11 UTC (permalink / raw)
To: bpf; +Cc: Jiri Benc
Hi!
I'm wodering about the cap check against CAP_SYS_ADMIN:
static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog)
{
/* These are the prerequisites, should someone ever have the
* idea to call blinding outside of them, we make sure to
* bail out.
*/
if (!bpf_jit_is_ebpf())
return false;
if (!prog->jit_requested)
return false;
if (!bpf_jit_harden)
return false;
if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN))
return false;
return true;
}
Is it intentional to provide more security or oversight in commit
2c78ee898d8f ("bpf: Implement CAP_BPF")
(and should be bpf_capable())?
--
WBR,
Yauheni Kaliuta
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-02 10:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-02 10:11 bpf_jit_blinding_enabled capabilities Yauheni Kaliuta
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox