On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote: > From: Chenbo Feng <fe...@google.com> > > Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN > capability while attaching the program to a cgroup only requires the > user have CAP_NET_ADMIN privilege. We can escape the capability > check when load the program just like socket filter program to make > the capability requirement consistent. > > Change since v1: > Change the code style in order to be compliant with checkpatch.pl > preference > > Signed-off-by: Chenbo Feng <fe...@google.com>
as far as I can see they're indeed the same as socket filters, so Acked-by: Alexei Starovoitov <a...@kernel.org> but I don't quite understand how it helps, since as you said attaching such unpriv fd to cgroup still requires root. Do you have more patches to follow?
