From 46a71608a1c1f277922adf2a82c4ab1e4d7ad320 Mon Sep 17 00:00:00 2001
From: Dariusz Michaluk <d.michaluk@samsung.com>
Date: Wed, 14 Feb 2024 13:15:33 +0100
Subject: Imported Upstream version 2.69

---
 doc/values/39.txt | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 doc/values/39.txt

(limited to 'doc/values/39.txt')

diff --git a/doc/values/39.txt b/doc/values/39.txt
new file mode 100644
index 0000000..d05a5c6
--- /dev/null
+++ b/doc/values/39.txt
@@ -0,0 +1,33 @@
+Allows a process to manipulate aspects of the kernel
+enhanced Berkeley Packet Filter (BPF) system. This is
+an execution subsystem of the kernel, that manages BPF
+programs. CAP_BPF permits a process to:
+  - create all types of BPF maps
+  - advanced verifier features:
+    - indirect variable access
+    - bounded loops
+    - BPF to BPF function calls
+    - scalar precision tracking
+    - larger complexity limits
+    - dead code elimination
+    - potentially other features
+
+Other capabilities can be used together with CAP_BFP to
+further manipulate the BPF system:
+  - CAP_PERFMON relaxes the verifier checks as follows:
+    - BPF programs can use pointer-to-integer
+      conversions
+    - speculation attack hardening measures can be
+      bypassed
+    - bpf_probe_read to read arbitrary kernel memory is
+      permitted
+    - bpf_trace_printk to print the content of kernel
+      memory
+  - CAP_SYS_ADMIN permits the following:
+    - use of bpf_probe_write_user
+    - iteration over the system-wide loaded programs,
+      maps, links BTFs and convert their IDs to file
+      descriptors.
+  - CAP_PERFMON is required to load tracing programs.
+  - CAP_NET_ADMIN is required to load networking
+    programs.
-- 
cgit v1.2.3