Navigation
Recherche
|
[$] Providing wider access to bpf()
jeudi 27 juin 2019, 16:56 , par LWN.net
The bpf()
system call allows user space to load a BPF program into the kernel for execution, manipulate BPF maps, and carry out a number of other BPF-related functions. BPF programs are verified and sandboxed, but they are still running in a privileged context and, depending on the type of program loaded, are capable of creating various types of mayhem. As a result, most BPF operations, including the loading of almost all types of BPF program, are restricted to processes with the CAP_SYS_ADMIN capability — those running as root, as a general rule. BPF programs are useful in many contexts, though, so there has long been interest in making access to bpf() more widely available. One step in that direction has been posted by Song Liu; it works by adding a novel security-policy mechanism to the kernel.
https://lwn.net/Articles/792124/rss
|
56 sources (32 en français)
Date Actuelle
mar. 30 avril - 01:32 CEST
|