Protecting against eBPF rootkits - by Nathan Naveen

Bomfather

SubscribeSign in

Protecting against eBPF rootkits

Nathan Naveen<br>Jun 17, 2026

Share

We have built our tooling with eBPF, but eBPF can also be used to build rootkits and other malicious programs: https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html.<br>To prevent this kind of compromised attack, we released a new feature that, by default, blocks loading eBPF code and Pinning (https://docs.ebpf.io/linux/concepts/pinning/) even with privileged access, preventing a large class of attack vectors.<br>Bomfather supports kernel versions 5.18 to 6.18, and we wanted to ensure it is available to all our customers. But, the critical API that provided this functionality had a breaking change in kernel version 6.15 , int BPF_PROG(lsm_bpf, int cmd, union bpf_attr *attr, unsigned int size, bool kernel) which included the additional parameter bool kernel and this was not supported in the previous versions int BPF_PROG(lsm_bpf_compat, int cmd, union bpf_attr *attr, unsigned int size). We dealt with this issue by compiling the bpf code with both the handlers and the userspace code, and loading only the necessary function based on the kernel version.

Share

Discussion about this post<br>CommentsRestacks

TopLatestDiscussions

No posts

Ready for more?

Subscribe

© 2026 Bomfather · Privacy ∙ Terms ∙ Collection notice<br>Start your SubstackGet the app<br>Substack is the home for great culture

This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts