So I was wondering if Kicksecure should disable eBPF altogether for containers?
Security-Misc already addresses 2 related BPF settings for the kernel hardening
- [Restrict usage of bpf() to CAP_BPF to prevent the loading of BPF programs by unprivileged users.]
net.core.bpf_jit_harden=2
- [Enable hardening of the BPF JIT compiler for all users.]
kernel.unprivileged_bpf_disabled=1
So I was wondering if some kind of drop in for container software like Podman and Docker could be made to disable eBPF altogether or certain aspects?
Was looking at /etc/containers/containers.conf.d/ for a drop in but I see no options that address them or are universally applied for all container software?
/etc/containersis a standard configuration directory used by several container‑related tools on Linux systems, most notably Podman, Buildah, Skopeo, and the CRI‑O runtime.
Then when it comes to Docker the only idea I came up with is /etc/systemd/system/docker.service.d/disable-bpf.conf with ExecStart=/usr/bin/dockerd --no-bpf
What got me thinking about this was this proof on concept here:
github. com/hackerschoice/bpfhacks
Besides the two kernel related hardening is there really any other ways to mitigate this type of attack or is it a moot point since it requires attacker to gain root.
These are just some thoughts that came to mind sorry if this post looks like security cosplay at first glance.