Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

From: Daniel Mack <hidden>
Date: 2016-09-15 08:11:50
Also in: cgroups

Possibly related (same subject, not in this thread)

2016-09-20 · Re: [PATCH v5 0/6] Add eBPF hooks for cgroups · Daniel Mack <hidden>
2016-09-19 · Re: [PATCH v5 0/6] Add eBPF hooks for cgroups · Sargun Dhillon <hidden>
2016-09-19 · Re: [PATCH v5 0/6] Add eBPF hooks for cgroups · Daniel Mack <hidden>
2016-09-18 · Re: [PATCH v5 0/6] Add eBPF hooks for cgroups · Sargun Dhillon <hidden>
2016-09-16 · Re: [PATCH v5 0/6] Add eBPF hooks for cgroups · Sargun Dhillon <hidden>

On 09/15/2016 08:36 AM, Vincent Bernat wrote:

 ❦ 12 septembre 2016 18:12 CEST, Daniel Mack [off-list ref] :

quoted

* The sample program learned to support both ingress and egress, and
  can now optionally make the eBPF program drop packets by making it
  return 0.

Ability to lock the eBPF program to avoid modification from a later
program or in a subcgroup would be pretty interesting from a security
perspective.

For now, you can achieve that by dropping CAP_NET_ADMIN after installing
a program between fork and exec. I think that should suffice for a first
version. Flags to further limit that could be be added later.


Thanks,
Daniel

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help