Problem
ebpf/owlbear_net.bpf.c kprobes on tcp_v4_connect and udp_sendmsg are observe-only. They emit events but never block connections. The daemon-side net_allowlist.c logs unknown destinations but has no enforcement path back to the kernel.
In enforce mode, a cheat exfiltrating game state over UDP (demonstrated by cheats/net_exfil.c) succeeds — the daemon sees it but can't stop it.
Proposal
Two-phase approach:
- BPF LSM hook on
socket_connect — can return -EPERM to block connections to non-allowlisted IPs. Requires a BPF map populated with the allowlist from userspace.
- Populate allowlist map from daemon — extend
owl_bpf_init to push net_allowlist entries into a shared BPF hash map at startup.
Observe mode: log only (current behavior). Enforce mode: block + log.
Acceptance
cheats/net_exfil.bin gets EPERM in enforce mode- Allowlisted IPs (127.0.0.1, configured game servers) still connect
- Observe mode unchanged
- E2E assertion in
verify.sh
Problem
ebpf/owlbear_net.bpf.ckprobes ontcp_v4_connectandudp_sendmsgare observe-only. They emit events but never block connections. The daemon-sidenet_allowlist.clogs unknown destinations but has no enforcement path back to the kernel.In enforce mode, a cheat exfiltrating game state over UDP (demonstrated by
cheats/net_exfil.c) succeeds — the daemon sees it but can't stop it.Proposal
Two-phase approach:
socket_connect— can return -EPERM to block connections to non-allowlisted IPs. Requires a BPF map populated with the allowlist from userspace.owl_bpf_initto pushnet_allowlistentries into a shared BPF hash map at startup.Observe mode: log only (current behavior). Enforce mode: block + log.
Acceptance
cheats/net_exfil.bingets EPERM in enforce modeverify.sh