On Tue, May 14, 2019 at 7:43 PM Chenbo Feng <fe...@google.com> wrote: > > For iptable module to load a bpf program from a pinned location, it > only retrieve a loaded program and cannot change the program content so > requiring a write permission for it might not be necessary. > Also when adding or removing an unrelated iptable rule, it might need to > flush and reload the xt_bpf related rules as well and triggers the inode > permission check. It might be better to remove the write premission > check for the inode so we won't need to grant write access to all the > processes that flush and restore iptables rules. > > Signed-off-by: Chenbo Feng <fe...@google.com>
Applied. The fix makes sense to me.
