1*2810ac1bSKiyoung KimAllows a process to manipulate aspects of the kernel 2*2810ac1bSKiyoung Kimenhanced Berkeley Packet Filter (BPF) system. This is 3*2810ac1bSKiyoung Kiman execution subsystem of the kernel, that manages BPF 4*2810ac1bSKiyoung Kimprograms. CAP_BPF permits a process to: 5*2810ac1bSKiyoung Kim - create all types of BPF maps 6*2810ac1bSKiyoung Kim - advanced verifier features: 7*2810ac1bSKiyoung Kim - indirect variable access 8*2810ac1bSKiyoung Kim - bounded loops 9*2810ac1bSKiyoung Kim - BPF to BPF function calls 10*2810ac1bSKiyoung Kim - scalar precision tracking 11*2810ac1bSKiyoung Kim - larger complexity limits 12*2810ac1bSKiyoung Kim - dead code elimination 13*2810ac1bSKiyoung Kim - potentially other features 14*2810ac1bSKiyoung Kim 15*2810ac1bSKiyoung KimOther capabilities can be used together with CAP_BFP to 16*2810ac1bSKiyoung Kimfurther manipulate the BPF system: 17*2810ac1bSKiyoung Kim - CAP_PERFMON relaxes the verifier checks as follows: 18*2810ac1bSKiyoung Kim - BPF programs can use pointer-to-integer 19*2810ac1bSKiyoung Kim conversions 20*2810ac1bSKiyoung Kim - speculation attack hardening measures can be 21*2810ac1bSKiyoung Kim bypassed 22*2810ac1bSKiyoung Kim - bpf_probe_read to read arbitrary kernel memory is 23*2810ac1bSKiyoung Kim permitted 24*2810ac1bSKiyoung Kim - bpf_trace_printk to print the content of kernel 25*2810ac1bSKiyoung Kim memory 26*2810ac1bSKiyoung Kim - CAP_SYS_ADMIN permits the following: 27*2810ac1bSKiyoung Kim - use of bpf_probe_write_user 28*2810ac1bSKiyoung Kim - iteration over the system-wide loaded programs, 29*2810ac1bSKiyoung Kim maps, links BTFs and convert their IDs to file 30*2810ac1bSKiyoung Kim descriptors. 31*2810ac1bSKiyoung Kim - CAP_PERFMON is required to load tracing programs. 32*2810ac1bSKiyoung Kim - CAP_NET_ADMIN is required to load networking 33*2810ac1bSKiyoung Kim programs. 34