public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Dropify Drop <d.dropify@gmail.com>, bpf@vger.kernel.org
Subject: Re: Removing clsact while eBPF program is still attached
Date: Sat, 18 Feb 2023 19:40:39 +0100	[thread overview]
Message-ID: <87h6viq0k8.fsf@toke.dk> (raw)
In-Reply-To: <CAJxriS2Up7DrF4r9LHX+L_6X0NhP5m4sUTqGGcE5SAna+HFWLA@mail.gmail.com>

Dropify Drop <d.dropify@gmail.com> writes:

> Hi,
> I am playing around with eBPF + TC and wrote some eBPF code to
> intercept egress and ingress traffic (clsact qdisc) .
> All works great but while the eBPF program is still attached I can via
> command line remove the associated clsact qdisc (tc qdisc del dev
> <interface> clsact) and the eBPF program no longer receives the
> traffic. It is kind of expected but any root user can silently disable
> it.

Well, any root user can also down the interface or do, well, anything,
really, that's kinda the point of having root...

So, erm, don't give root access to people you don't trust not to mess up
your system? :)

-Toke

      reply	other threads:[~2023-02-18 18:40 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-18  9:22 Removing clsact while eBPF program is still attached Dropify Drop
2023-02-18 18:40 ` Toke Høiland-Jørgensen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h6viq0k8.fsf@toke.dk \
    --to=toke@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=d.dropify@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox