next 2/2] bpf: Remove the capability check for cgroup skb
> eBPF program
> - if (type != BPF_PROG_TYPE_SOCKET_FILTER
> && !capable(CAP_SYS_ADMIN))
> + if (type != BPF_PROG_TYPE_SOCKET_FILTER
> + && type != BPF_PROG_TYPE_CGROUP_SKB
> + &&am
From: Chenbo Feng
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter program to make
the capabi