Linus Torvalds writes: (Summary)
For all we know, people run modprobe with CAP_SYS_MODULE only, since
that is obviously the only capability it needs.
that is obviously the only capability it needs.
Hmm. So the execution is a *blocking* operation (and we get the correct exclusion semantics)
exclusion semantics)
- use deny_write_access() to make sure that we don't have active writers and cannot get them during the execve.
writers and cannot get them during the execve.
The above mean that something that executes to load a new ebpf rule will work very well.
that is obviously the only capability it needs.
Hmm. So the execution is a *blocking* operation (and we get the correct exclusion semantics)
exclusion semantics)
- use deny_write_access() to make sure that we don't have active writers and cannot get them during the execve.
writers and cannot get them during the execve.
The above mean that something that executes to load a new ebpf rule will work very well.
