Message ID | 20230626093614.21270-1-andreaterzolo3@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 2d2c95162de8fc6875c9c3d39f83527ae28e2e8a |
Delegated to: | BPF |
Headers | show |
Series | [bpf-next] libbpf: skip modules BTF loading when CAP_SYS_ADMIN is missing | expand |
Hello: This patch was applied to bpf/bpf-next.git (master) by Andrii Nakryiko <andrii@kernel.org>: On Mon, 26 Jun 2023 11:36:14 +0200 you wrote: > If during CO-RE relocations libbpf is not able to find the target type > in the running kernel BTF, it searches for it in modules' BTF. > The downside of this approach is that loading modules' BTF requires > CAP_SYS_ADMIN and this prevents BPF applications from running with more > granular capabilities (e.g. CAP_BPF) when they don't need to search > types into modules' BTF. > > [...] Here is the summary with links: - [bpf-next] libbpf: skip modules BTF loading when CAP_SYS_ADMIN is missing https://git.kernel.org/bpf/bpf-next/c/2d2c95162de8 You are awesome, thank you!
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 214f828ece6b..d793a1bfb70c 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -5471,6 +5471,10 @@ static int load_module_btfs(struct bpf_object *obj) err = bpf_btf_get_next_id(id, &id); if (err && errno == ENOENT) return 0; + if (err && errno == EPERM) { + pr_debug("skipping module BTFs loading, missing privileges\n"); + return 0; + } if (err) { err = -errno; pr_warn("failed to iterate BTF objects: %d\n", err);