1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// bpf() syscall - eBPF Program Loading
//
// WHY BPF IS DANGEROUS IN SANDBOXES:
// The bpf() syscall allows loading and manipulating eBPF programs that run
// inside the kernel. eBPF has been a major source of kernel vulnerabilities
// and privilege escalation exploits in recent years.
//
// SECURITY CONCERNS:
// 1. eBPF runs in kernel context with elevated privileges
// 2. JIT compiler bugs can lead to arbitrary code execution
// 3. Verifier bypasses have led to many CVEs
// 4. Can read/write arbitrary kernel memory if exploited
// 5. Unprivileged eBPF has been a major attack surface
//
// CVEs AND EXPLOITS:
// - CVE-2021-3490: eBPF ALU32 bounds tracking bug (privilege escalation)
// - CVE-2021-31440: eBPF verifier bypass
// - CVE-2022-23222: eBPF verifier pointer arithmetic
// - CVE-2023-2163: eBPF verifier state pruning bug
// - Many more eBPF-related CVEs
//
// ATTACK VECTORS:
// 1. BPF_PROG_LOAD: Load malicious eBPF program
// 2. Exploit verifier bugs to bypass safety checks
// 3. Use maps to read/write kernel memory
// 4. Escape from containers via kernel compromise
//
// WHY BLOCK IT:
// 1. No legitimate use case for eBPF in sandboxed code execution
// 2. eBPF is a massive kernel attack surface
// 3. Even "safe" eBPF programs can have unintended effects
// 4. Docker blocks bpf by default
// 5. Many distros disable unprivileged eBPF entirely
//
// KERNEL SYSCTLS:
// kernel.unprivileged_bpf_disabled=1 (recommended on all systems)
//
// WHY THIS PAYLOAD:
// This payload attempts to use bpf(). A secure sandbox must block
// this syscall to prevent eBPF-based kernel exploits.
//
// EXPECTED RESULT:
// Sandbox should kill the process with SIGSYS (signal 31).
//
// REFERENCES:
// - https://man7.org/linux/man-pages/man2/bpf.2.html
// - https://lwn.net/Articles/853489/ (eBPF attack surface)
// - https://ciq.com/blog/linux-kernel-cves-2025 (eBPF CVE trends)
//
// BPF commands
// BPF map types
// Minimal bpf_attr structure for map creation
;
int