Commit 2d2c9516 authored by Andrea Terzolo's avatar Andrea Terzolo Committed by Andrii Nakryiko

libbpf: Skip modules BTF loading when CAP_SYS_ADMIN is missing

If during CO-RE relocations libbpf is not able to find the target type
in the running kernel BTF, it searches for it in modules' BTF.
The downside of this approach is that loading modules' BTF requires
CAP_SYS_ADMIN and this prevents BPF applications from running with more
granular capabilities (e.g. CAP_BPF) when they don't need to search
types into modules' BTF.

This patch skips by default modules' BTF loading phase when
CAP_SYS_ADMIN is missing.
Suggested-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Co-developed-by: default avatarFederico Di Pierro <nierro92@gmail.com>
Signed-off-by: default avatarFederico Di Pierro <nierro92@gmail.com>
Signed-off-by: default avatarAndrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/CAGQdkDvYU_e=_NX+6DRkL_-TeH3p+QtsdZwHkmH0w3Fuzw0C4w@mail.gmail.com
Link: https://lore.kernel.org/bpf/20230626093614.21270-1-andreaterzolo3@gmail.com
parent 539c7e67
...@@ -5471,6 +5471,10 @@ static int load_module_btfs(struct bpf_object *obj) ...@@ -5471,6 +5471,10 @@ static int load_module_btfs(struct bpf_object *obj)
err = bpf_btf_get_next_id(id, &id); err = bpf_btf_get_next_id(id, &id);
if (err && errno == ENOENT) if (err && errno == ENOENT)
return 0; return 0;
if (err && errno == EPERM) {
pr_debug("skipping module BTFs loading, missing privileges\n");
return 0;
}
if (err) { if (err) {
err = -errno; err = -errno;
pr_warn("failed to iterate BTF objects: %d\n", err); pr_warn("failed to iterate BTF objects: %d\n", err);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment