34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
|
Allows a process to manipulate aspects of the kernel
|
||
|
|
enhanced Berkeley Packet Filter (BPF) system. This is
|
||
|
|
an execution subsystem of the kernel, that manages BPF
|
||
|
|
programs. CAP_BPF permits a process to:
|
||
|
|
- create all types of BPF maps
|
||
|
|
- advanced verifier features:
|
||
|
|
- indirect variable access
|
||
|
|
- bounded loops
|
||
|
|
- BPF to BPF function calls
|
||
|
|
- scalar precision tracking
|
||
|
|
- larger complexity limits
|
||
|
|
- dead code elimination
|
||
|
|
- potentially other features
|
||
|
|
|
||
|
|
Other capabilities can be used together with CAP_BFP to
|
||
|
|
further manipulate the BPF system:
|
||
|
|
- CAP_PERFMON relaxes the verifier checks as follows:
|
||
|
|
- BPF programs can use pointer-to-integer
|
||
|
|
conversions
|
||
|
|
- speculation attack hardening measures can be
|
||
|
|
bypassed
|
||
|
|
- bpf_probe_read to read arbitrary kernel memory is
|
||
|
|
permitted
|
||
|
|
- bpf_trace_printk to print the content of kernel
|
||
|
|
memory
|
||
|
|
- CAP_SYS_ADMIN permits the following:
|
||
|
|
- use of bpf_probe_write_user
|
||
|
|
- iteration over the system-wide loaded programs,
|
||
|
|
maps, links BTFs and convert their IDs to file
|
||
|
|
descriptors.
|
||
|
|
- CAP_PERFMON is required to load tracing programs.
|
||
|
|
- CAP_NET_ADMIN is required to load networking
|
||
|
|
programs.
|