On 09/15/2016 08:36 AM, Vincent Bernat wrote: > ❦ 12 septembre 2016 18:12 CEST, Daniel Mack <daniel@xxxxxxxxxx> : > >> * The sample program learned to support both ingress and egress, and >> can now optionally make the eBPF program drop packets by making it >> return 0. > > Ability to lock the eBPF program to avoid modification from a later > program or in a subcgroup would be pretty interesting from a security > perspective. For now, you can achieve that by dropping CAP_NET_ADMIN after installing a program between fork and exec. I think that should suffice for a first version. Flags to further limit that could be be added later. Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
