bpf: skip unnecessary capability check
The current check statement in BPF syscall will do a capability check for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This code path will trigger unnecessary security hooks on capability checking and cause false alarms on unprivileged process trying to get CAP_SYS_ADMIN access. This can be resolved by simply switch the order of the statement and CAP_SYS_ADMIN is not required anyway if unprivileged bpf syscall is allowed. Signed-off-by: NChenbo Feng <fengc@google.com> Acked-by: NLorenzo Colitti <lorenzo@google.com> Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Showing
想要评论请 注册 或 登录