You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@mozzieongit requested the ability to unload programs without CAP_SYS_ADMIN, so
that an application can drop privileges after loading (see #432)..
It may be possible to support unloading of XDP programs without having
CAP_SYS_ADMIN, by simply removing the pinned bpf_link of the currently loaded
program in bpffs. This will detach the program from the loaded dispatcher, which
will just skip the slot. And if it's the last program loaded, removing the
dispatcher can be done with just CAP_NET_ADMIN.
In any case, the caveat is that the application needs appropriate permissions to
modify files in bpffs, which may throw a wrench in the whole thing. But it's
worth investigating, as it may enable some uses that are currently not possible
due to the CAP_SYS_ADMIN requirement.
The text was updated successfully, but these errors were encountered:
@mozzieongit requested the ability to unload programs without CAP_SYS_ADMIN, so
that an application can drop privileges after loading (see #432)..
It may be possible to support unloading of XDP programs without having
CAP_SYS_ADMIN, by simply removing the pinned bpf_link of the currently loaded
program in bpffs. This will detach the program from the loaded dispatcher, which
will just skip the slot. And if it's the last program loaded, removing the
dispatcher can be done with just CAP_NET_ADMIN.
In any case, the caveat is that the application needs appropriate permissions to
modify files in bpffs, which may throw a wrench in the whole thing. But it's
worth investigating, as it may enable some uses that are currently not possible
due to the CAP_SYS_ADMIN requirement.
The text was updated successfully, but these errors were encountered: