| After that hint, I thought I'd give the code a quick audit. The install script adds sudoers rules to allow ebaf executable to be run with no password[0] (and also to `pkill -P` any PPID). The ebaf executable checks the current directory by default, to look for the ebpf code to load[1]. So, running the install script this allows any ebpf code to be loaded into the kernel without a sudo password. You probably don't want this! (I'm pretty sure that'd be enough for a root LPE) Further, the ebaf executable writes logs to a file named `/tmp/ebaf-stats.dat` [2]. An unprivileged user could put a symlink here, causing the destination file to get clobbered. It also re-resolves all domain names every 600 seconds. Given that there are over a thousand domains listed, that's quite a lot of DNS traffic! [3] Also, the "web dashboard" claims to listen on localhost, but it actually listens on INADDR_ANY [4] [0] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454... [1] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454... [2] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454... [3] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454... [4] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454... |