We have built our tooling with eBPF, but eBPF can also be used to build rootkits and other malicious programs: https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html.
To prevent this kind of compromised attack, we released a new feature that, by default, blocks loading eBPF code and Pinning (https://docs.ebpf.io/linux/concepts/pinning/) even with privileged access, preventing a large class of attack vectors.
Bomfather supports kernel versions 5.18 to 6.18, and we wanted to ensure it is available to all our customers. But, the critical API that provided this functionality had a breaking change in kernel version 6.15 , int BPF_PROG(lsm_bpf, int cmd, union bpf_attr *attr, unsigned int size, bool kernel) which included the additional parameter bool kernel and this was not supported in the previous versions int BPF_PROG(lsm_bpf_compat, int cmd, union bpf_attr *attr, unsigned int size). We dealt with this issue by compiling the bpf code with both the handlers and the userspace code, and loading only the necessary function based on the kernel version.