Quite simple "program": start as root configure rlimit_memlock drop root but keep CAP_NET_ADMIN and CAP_NET_RAW create network interface configure network interface create CLSACT qdisc for interface reconfigure eBPF program for interface call bpf(BPF_PROGLOAD, ...) with program type BPF_PROG_TYPE_SCHED_CLS
Result: EPERM That bpf() does honor CAP_SYS_ADMIN doesn't help as this is too broad for network related actions and may pose a security problem. Privileged network related bpf program load should honour CAP_NET_ADMIN in addition to CAP_SYS_ADMIN.
