Re: [PATCH bpf-next] bpf: skip unnecessary capability check

On 03/20/2018 12:37 PM, Lorenzo Colitti wrote: > On Tue, Mar 20, 2018 at 12:57 AM, Chenbo Feng > wrote: >> - if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled) >> + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) >> return -EPERM; >> > >

Re: [PATCH bpf-next] bpf: skip unnecessary capability check

On Tue, Mar 20, 2018 at 12:57 AM, Chenbo Feng wrote: > - if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled) > + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) > return -EPERM; > Acked-by: Lorenzo Colitti Should this be targeted to bpf

[PATCH bpf-next] bpf: skip unnecessary capability check

From: Chenbo Feng The current check statement in BPF syscall will do a capability check for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This code path will trigger unnecessary security hooks on capability checking and cause false alarms on unprivileged process trying to get CA