fix: incorrect CAP_BPF check method (#715)

And added a check for CAP_SYS_ADMIN permissions. > The CAP_* values are bit indexes and need to be bit-shifted before ORing into the bit fields. refer: * https://man7.org/linux/man-pages/man2/capset.2.html * https://github.com/torvalds/linux/blob/0bc21e701a6ffacfdde7f04f87d664d82e8a13bf/include/uapi/linux/capability.h#L383-L412 Signed-off-by: hengyoush <[email protected]>
gojue · Jan 4, 2025 · 06613e0 · 06613e0
1 parent 91b8be1
commit 06613e0
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/cli/cmd/env_detection.go b/cli/cmd/env_detection.go
@@ -52,7 +52,9 @@ func detectBpfCap() error {
 		return fmt.Errorf("failed to get the capabilities of the current process: %v", err)
 	}
 
-	haveBpfCap := data[0].Permitted&unix.CAP_BPF != 0
+	capBpfMask := uint32(1 << (unix.CAP_BPF - 32))
+	capSysAdminMask := uint32(1 << unix.CAP_SYS_ADMIN)
+	haveBpfCap := (data[1].Permitted&capBpfMask != 0) || (data[0].Permitted&capSysAdminMask != 0)
 	if !haveBpfCap {
 		return fmt.Errorf("the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.")
 	}