On 09/15/2016 08:36 AM, Vincent Bernat wrote: > ❦ 12 septembre 2016 18:12 CEST, Daniel Mack <dan...@zonque.org> : > >> * The sample program learned to support both ingress and egress, and >> can now optionally make the eBPF program drop packets by making it >> return 0. > > Ability to lock the eBPF program to avoid modification from a later > program or in a subcgroup would be pretty interesting from a security > perspective.
For now, you can achieve that by dropping CAP_NET_ADMIN after installing a program between fork and exec. I think that should suffice for a first version. Flags to further limit that could be be added later. Thanks, Daniel
