MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
bpf
Search

[$] Providing wider access to bpf()

Thursday June 27, 2019. 04:56 PM , from LWN.net
The bpf()
system call allows user space to load a BPF program into the kernel for
execution, manipulate BPF maps, and carry out a number of other BPF-related
functions. BPF programs are verified and sandboxed, but they are still
running in a privileged context and, depending on the type of program
loaded, are capable of creating various types of mayhem. As a result, most
BPF operations, including the
loading of almost all types of BPF program, are restricted to processes with
the CAP_SYS_ADMIN capability — those running as root, as a general
rule. BPF programs are useful in many contexts, though, so there has long been
interest in making access to bpf() more
widely available. One step in that direction has been posted
by Song Liu; it works by adding a novel security-policy mechanism to the
kernel.
https://lwn.net/Articles/792124/rss

Related News

News copyright owned by their original publishers | Copyright © 2004 - 2019 Zicos / 440Network
Current Date
Dec, Sun 8 - 14:19 CET