Comment by littlesnitch
6 days ago
Thanks for sharing! I took rustnet as proof that complex eBPF programs can be done in Rust. Otherwise I would not have dared to try this!
Reducing the set of privileges is on my todo list, but for the moment I just want to get things working without worrying about self-made limitations.
Regarding mount points: I needed the inode numbers of the mounted nodes. With my last commit this requirement has been dropped and it should be sufficient to read mountinfo (and access config files and sqlite3 databases, of course).
I don't need to get the executable from PID, that's already done in eBPF because I need to apply rules based on executable paths.
Ah nice, I'll take a look at the open source eBPF part for the process resolution which is an area where I still have some rough edges and there is probably something I can learn from your approach.