On 09/15/2016 08:36 AM, Vincent Bernat wrote:
> ❦ 12 septembre 2016 18:12 CEST, Daniel Mack <dan...@zonque.org> :
>> * The sample program learned to support both ingress and egress, and
>> can now optionally make the eBPF program drop packets by making it
>> return 0.
> Ability to lock the eBPF program to avoid modification from a later
> program or in a subcgroup would be pretty interesting from a security
For now, you can achieve that by dropping CAP_NET_ADMIN after installing
a program between fork and exec. I think that should suffice for a first
version. Flags to further limit that could be be added later.