Hi Alexei, On Thu, Oct 8, 2015, at 07:23, Alexei Starovoitov wrote: > The feature is controlled by sysctl kernel.unprivileged_bpf_disabled. > This toggle defaults to off (0), but can be set true (1). Once true, > bpf programs and maps cannot be accessed from unprivileged process, > and the toggle cannot be set back to false.
This approach seems fine to me. I am wondering if it makes sense to somehow allow ebpf access per namespace? I currently have no idea how that could work and on which namespace type to depend or going with a prctl or even cgroup maybe. The rationale behind this is, that maybe some namespaces like openstack router namespaces could make usage of advanced ebpf capabilities in the kernel, while other namespaces, especially where untrusted third parties are hosted, shouldn't have access to those facilities. In that way, hosters would be able to e.g. deploy more efficient performance monitoring container (which should still need not to run as root) while the majority of the users has no access to that. Or think about routing instances in some namespaces, etc. etc. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/