Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3086590pxb;
        Fri, 4 Feb 2022 00:33:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwpSDXg65+MBszN9N13sOSMmsROjAk6tnLezDhcj1rSFGr5yzoD6PmH2K2iiqmFrz7os7GY
X-Received: by 2002:a63:a47:: with SMTP id z7mr1494206pgk.525.1643963579706;
        Fri, 04 Feb 2022 00:32:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643963579; cv=none;
        d=google.com; s=arc-20160816;
        b=ToPZ/c7CVYB+xp3z686+VqjMApBEGbyteZXAee8Hlj80Bn4JpZW+YwoVDs52Nv035w
         EDp30B5lJJfM5dVK3ZMMR1Nd32FIB56GT1bUPrt6XzHuN5rmdPXjQ7COrovRnVO36HGP
         AAz9jGrkNXOWEYUHwc4aV0bOQwB0VywEPk/9LeRYnds3rz3oueGGsVwmCNRlCPnd5RAw
         sgMlfi4r52YNcOZ4PDjc7jOXU8ML2Bi3Oir0uQJjEonkqITzkmcNalD80Fz9JbLFAipg
         cPW+p+zLky6P4zedwFR6E1HHt9yE+Zwfekmto/Lb4O/ZkAcQr9vNgg3RJkyiL17okbhL
         ZoaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=ExdrZIgp39XVpTkA829D6pTDC2kNpI9DYEfWRWuVVbU=;
        b=0l5K98KlbIXWhLx8QNAvUM1LYDBPPFjHLmvYq2SQr0wbNWVZ6roz7BCdsEhTzKO8IH
         fHmWgB0JGo5N1lTwGZb4lKEGE9tzfQJPOM7FXMDUa4D8y9FI4P7IMjoYwB8T/TIkoFcB
         pUbBBflfQXYhHzf4v10TZIHp+RDw42XU2iM1hwC3dkYjp0jtgMPFQ11q84WaOR9OLUgL
         E1wzMGS1h9o1pDzW55V5Cnrk4SF+NQzq753LfMxpJCRDiOK0KHoWukIAUvaVSZi82kFU
         mrFlgXuc6iOSiwme0SqLQ5B+3bGtuKgk3U8DEFhmcyrRA58dw5pxvlzWZAQFTU2yGQFh
         M+Pg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=ITc9Q24c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id y184si1230238pgd.377.2022.02.04.00.32.48;
        Fri, 04 Feb 2022 00:32:59 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=ITc9Q24c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233724AbiBAUZx (ORCPT <rfc822;vegard.nossum@gmail.com>
        + 99 others); Tue, 1 Feb 2022 15:25:53 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52152 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229793AbiBAUZx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Feb 2022 15:25:53 -0500
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BFD0C061714;
        Tue,  1 Feb 2022 12:25:53 -0800 (PST)
Received: by mail-pg1-x535.google.com with SMTP id 132so5409965pga.5;
        Tue, 01 Feb 2022 12:25:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ExdrZIgp39XVpTkA829D6pTDC2kNpI9DYEfWRWuVVbU=;
        b=ITc9Q24cgjgfgZIRPMUETmA1BvsoPuDTxd8akeVWC6NEkNr5mwgVfkTYcLFmbMbZ8W
         pyiO7xU2fLRPcNVKQ3o1N4+zzRWyjhUf+Vcaa4e1+8OjJOHEFGAXSujp/zo6rnD1g/zL
         QlEe0OP66UsZK0/9jwRVsB102DGV6VLSPYMbb2D4QfIBhOumzCEJsSFJXtkHDsn2c/LK
         9qolP4HxL1Ty1zxhk0TB+/KmY+9XlG7Alsrq/MeLK0v5XSnG8rruw879bv0WYQQYCVsn
         HZmPL8cv9HcJRmll17chuNrjnLe24BPDwcHjHgvr3fVxsBXwpuWolwqRWzlkkbt/ANhO
         9tSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ExdrZIgp39XVpTkA829D6pTDC2kNpI9DYEfWRWuVVbU=;
        b=US7D3np/sjN7X3UUlrWjuqeHstvg5EAVfcax7Y/DqAR6TG+ZztxpL0NC2DIIsPHBu/
         mcAoenlW4dubGKpTPaMl+oa/EDBM1sx/B4EJpVgRFvN2hO6R5+DyV37YjQbpM7rHA5ER
         gkzkY+OhqmVAh3HfQ9oytwGbqDDeFdw+a9DlONaJVtdFB17jstAXDrCNSATR/3YOGDBg
         kOAvB2cpCuoNFXBcqehRLAteEq9PLcaCA0pEcJTMxrka4mN2etE/1+OTuSlhYo8SSvxx
         C+Vng5U7gcoDW/S1BnZpgZ1kkDWJF51nir21423byUYIheG8SNVW3GJWzC9B/koJxXLq
         qnXg==
X-Gm-Message-State: AOAM532lrep4A1jmguI+7BVuqi5trdVEHIHTLsn3uHsU/7ozmD0wkDXY
        d3G6TH+ZQtOFb9LT/XAcT/8i8yg5h6lnfmkW4ac=
X-Received: by 2002:aa7:888e:: with SMTP id z14mr26785456pfe.46.1643747152532;
 Tue, 01 Feb 2022 12:25:52 -0800 (PST)
MIME-Version: 1.0
References: <20220130030352.2710479-1-hefengqing@huawei.com>
 <CAADnVQLsom4MQq2oonzfCqrHbhfg9y7YMPCk6Wg6r4bp3Su03g@mail.gmail.com> <87zgndqukg.fsf@cloudflare.com>
In-Reply-To: <87zgndqukg.fsf@cloudflare.com>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Tue, 1 Feb 2022 12:25:41 -0800
Message-ID: <CAADnVQKAeP3RB_F-isOdRJNaKns5RBEfs1aYw=_fCtBro64Amw@mail.gmail.com>
Subject: Re: [bpf-next] bpf: Add CAP_NET_ADMIN for sk_lookup program type
To:     Jakub Sitnicki <jakub@cloudflare.com>
Cc:     He Fengqing <hefengqing@huawei.com>,
        Marek Majkowski <marek@cloudflare.com>,
        Network Development <netdev@vger.kernel.org>,
        bpf <bpf@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <kafai@fb.com>,
        Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
        John Fastabend <john.fastabend@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Jan 30, 2022 at 4:25 AM Jakub Sitnicki <jakub@cloudflare.com> wrote:
>
> On Sun, Jan 30, 2022 at 04:24 AM CET, Alexei Starovoitov wrote:
> > On Sat, Jan 29, 2022 at 6:16 PM He Fengqing <hefengqing@huawei.com> wrote:
> >>
> >> SK_LOOKUP program type was introduced in commit e9ddbb7707ff
> >> ("bpf: Introduce SK_LOOKUP program type with a dedicated attach point"),
> >> but the commit did not add SK_LOOKUP program type in net admin prog type.
> >> I think SK_LOOKUP program type should need CAP_NET_ADMIN, so add SK_LOOKUP
> >> program type in net_admin_prog_type.
> >
> > I'm afraid it's too late to change.
> >
> > Jakub, Marek, wdyt?
>
> That's definitely an oversight on my side, considering that CAP_BPF came
> in 5.8, and sk_lookup program first appeared in 5.9.
>
> Today it's possible to build a usable sk_lookup program without
> CAP_NET_ADMIN if you go for REUSEPORT_SOCKARRAY map instead of
> SOCKMAP/HASH.
>
> Best I can come up is a "phase it out" approach. Put the CAP_NET_ADMIN
> load-time check behind a config option, defaulting to true?, and wait
> for it to become obsolete.

I would keep it as-is then. The trouble doesn't feel worth it.