On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote: > From: Chenbo Feng <[email protected]> > > Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN > capability while attaching the program to a cgroup only requires the > user have CAP_NET_ADMIN privilege. We can escape the capability > check when load the program just like socket filter program to make > the capability requirement consistent. > > Change since v1: > Change the code style in order to be compliant with checkpatch.pl > preference > > Signed-off-by: Chenbo Feng <[email protected]>
as far as I can see they're indeed the same as socket filters, so Acked-by: Alexei Starovoitov <[email protected]> but I don't quite understand how it helps, since as you said attaching such unpriv fd to cgroup still requires root. Do you have more patches to follow?
