Closing the BPF map permission loophole
#Closing #BPF #map #permission #loophole
“Linux Plumbers Conference”
While working on github.com/cloudflare/tubular we discovered that it’s possible for a program with CAP_BPF to circumvent file permissions of BPF map fds, effectively making it impossible to enforce read-only access. In our case, a process exporting metrics from maps can’t be prevented from…
source