On Thu, Jun 01, 2017 at 06:55:09PM -0700, Chenbo Feng wrote: > On Thu, Jun 1, 2017 at 4:42 PM, Alexei Starovoitov < > alexei.starovoi...@gmail.com> wrote: > > > On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote: > > > From: Chenbo Feng <fe...@google.com> > > > > > > Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN > > > capability while attaching the program to a cgroup only requires the > > > user have CAP_NET_ADMIN privilege. We can escape the capability > > > check when load the program just like socket filter program to make > > > the capability requirement consistent. > > > > > > Change since v1: > > > Change the code style in order to be compliant with checkpatch.pl > > > preference > > > > > > Signed-off-by: Chenbo Feng <fe...@google.com> > > > > as far as I can see they're indeed the same as socket filters, so > > Acked-by: Alexei Starovoitov <a...@kernel.org> > > > > but I don't quite understand how it helps, since as you said > > attaching such unpriv fd to cgroup still requires root. > > Do you have more patches to follow? > > > > Actually not, the purpose of this patch is only to make sure if a program > have > CAP_NET_ADMIN but not CAP_SYS_ADMIN it can still load and attach eBPF > programs to cgroup.
got it. Thanks
