mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-02 08:34:20 +08:00
e459f49b43
Add support for separation of eBPF program load and xsk socket creation. This is needed for use-case when you want to privide as little privileges as possible to the data plane application that will handle xsk socket creation and incoming traffic. With this patch the data entity container can be run with only CAP_NET_RAW capability to fulfill its purpose of creating xsk socket and handling packages. In case your umem is larger or equal process limit for MEMLOCK you need either increase the limit or CAP_IPC_LOCK capability. To resolve privileges issue two APIs are introduced: - xsk_setup_xdp_prog - loads the built in XDP program. It can also return xsks_map_fd which is needed by unprivileged process to update xsks_map with AF_XDP socket "fd" - xsk_socket__update_xskmap - inserts an AF_XDP socket into an xskmap for a particular xsk_socket Signed-off-by: Mariusz Dudek <mariuszx.dudek@intel.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Magnus Karlsson <magnus.karlsson@intel.com> Link: https://lore.kernel.org/bpf/20201203090546.11976-2-mariuszx.dudek@intel.com |
||
|---|---|---|
| .. | ||
| accounting | ||
| arch | ||
| bootconfig | ||
| bpf | ||
| build | ||
| cgroup | ||
| debugging | ||
| edid | ||
| firewire | ||
| firmware | ||
| gpio | ||
| hv | ||
| iio | ||
| include | ||
| io_uring | ||
| kvm/kvm_stat | ||
| laptop | ||
| leds | ||
| lib | ||
| memory-model | ||
| objtool | ||
| pci | ||
| pcmcia | ||
| perf | ||
| power | ||
| scripts | ||
| spi | ||
| testing | ||
| thermal/tmon | ||
| time | ||
| usb | ||
| virtio | ||
| vm | ||
| wmi | ||
| Makefile | ||