Implement/Apply the security threat model recommendations for Beyla

[grcevski]

There is a recently published paper on various threat models with eBPF by the community https://www.linuxfoundation.org/hubfs/eBPF/ControlPlane%20%E2%80%94%20eBPF%20Security%20Threat%20Model.pdf.

We already cover a lot of this with our ability to use the minimum set of permissions to run Beyla, however there are couple of things we can take as an action items. I'll make this a meta feature request issue.

Items to consider implementing:

• Write good documentation on security practices for eBPF programs. Related detailed threat model sections [1, 3, 8, 9, 17]
• Build our eBPF binaries on CI, reject binaries in pull requests. Related detailed threat model sections [9]
• Sign our eBPF binaries verify the origin source. Related detailed threat model sections [9, 10]

[rafaelroquetto]

With regards to the item "Build our eBPF binaries on CI, reject binaries in pull requests. Related detailed threat model sections [9]", it has the implication that people building Beyla from source will now need to have llvm installed to build binaries, or is there another way?
I'm definitely not against it, I just thought I'd highlight this side-effect for further discussion.

[marevers]

About pt. 2, could you not simply add either the path where the BPF binaries are built to the gitignore? Or alternatively, add the relevant file extensions to it. That way, you could guarantee that PRs don't include them. For testing binaries can still be built locally but it ensures that the official images only contain verified binaries without risk of them containing untrusted/unverified code.