[PATCH bpf-next 0/2] bpf: Require CAP_BPF for pseudo-BTF ksym loads

[Nuoqi Gui]

BPF_PSEUDO_BTF_ID resolves a BTF id for a kernel symbol into a concrete
kernel address before the main verifier pass. A raw ldimm64 using this
pseudo source can currently reach kallsyms resolution without CAP_BPF,
and verbose verifier logging can print the rewritten immediate.

Require CAP_BPF before pseudo-BTF ksym materialization and add focused
verifier selftests for both the no-CAP rejection and the CAP_BPF-allowed
case.

Fixes: 4976b718c3551 ("bpf: Introduce pseudo_btf_id")

Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
---
Nuoqi Gui (2):
      bpf: Require CAP_BPF for pseudo-BTF ksym loads
      selftests/bpf: Cover pseudo-BTF ksym load capability

 kernel/bpf/verifier.c                              |  5 ++++
 .../testing/selftests/bpf/progs/verifier_unpriv.c  | 32 ++++++++++++++++++++++
 2 files changed, 37 insertions(+)
---
base-commit: a3847994b4d20c0701ccc54fe110920ea78e73dc
change-id: 20260619-f01-13-pseudo-btf-id-cap-bpf-585f98eac268

Best regards,
--  
Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>