Unprivileged eBPF Support In The Works For The Linux Kernel
In the past year or so there's been a lot to talk about when it comes to eBPF in the Linux kernel as an in-kernel virtual machine. The latest functionality being worked on is supporting eBPF for unprivileged users.
Alexei Starovoitov has published patches to "liberate eBPF from CAP_SYS_ADMIN" and takes care of work from its start to allow it to be used by non-root users.
However, not all users will be able to benefit from eBPF as non-root users. Alexei explained, "Unprivileged eBPF is only meaningful for 'socket filter'-like programs. eBPF programs for tracing and TC classifiers/actions will stay root only."
Those wishing to learn more can see this kernel mailing list post with the relevant patches.
Alexei Starovoitov has published patches to "liberate eBPF from CAP_SYS_ADMIN" and takes care of work from its start to allow it to be used by non-root users.
However, not all users will be able to benefit from eBPF as non-root users. Alexei explained, "Unprivileged eBPF is only meaningful for 'socket filter'-like programs. eBPF programs for tracing and TC classifiers/actions will stay root only."
Those wishing to learn more can see this kernel mailing list post with the relevant patches.
2 Comments