eBPF Pushed Safety For Locking And Auditing Linux Machines

bpflock – eBPF pushed safety for locking and auditing Linux machines.

Word: bpflock is at present in experimental stage, it might break, choices and safety semantics could change, some BPF applications can be up to date to make use of Cilium ebpf library.

bpflock makes use of eBPF to power Linux safety. By limiting entry to a varied vary of Linux options, bpflock is ready to cut back the assault floor and block some well-known assault methods.

Solely applications like container managers, systemd and different containers/applications that run within the host pid and community namespaces are allowed entry to full Linux options, containers and purposes that run on their very own namespace can be restricted. If bpflock bpf applications run beneath the restricted profile then all applications/containers together with privileged ones could have their entry denied.

bpflock protects Linux machines by profiting from a number of safety features together with Linux Safety Modules + BPF.

Structure and Safety design notes:

• bpflock isn’t a compulsory entry management labeling resolution, and it doesn’t intent to switch AppArmor, SELinux, and different MAC options. bpflock makes use of a easy declarative safety profile.
• bpflock gives a number of small bpf applications that may be reused in a number of contexts from Cloud Native deployments to Linux IoT gadgets.
• bpflock is ready to prohibit root from accessing sure Linux options, nonetheless it doesn’t shield in opposition to evil root.

2. Performance Overview

2.1 Safety features

bpflock provide a number of safety protections that may be labeled as:

2.2 Semantics

bpflock retains the safety semantics easy. It assist three world profiles to broadly cowl the safety sepctrum, and prohibit entry to particular Linux options.

• profile: that is the worldwide profile that may be utilized per bpf program, it takes one of many followings:

  • permit|none|privileged : they’re the identical, they outline the least safe profile. On this profile entry is logged and allowed for all processes. Helpful to log safety occasions.
  • baseline : restrictive profile the place entry is denied for all processes, besides privileged purposes and containers that run within the host namespaces, or per cgroup allowed profiles within the bpflock_cgroupmap bpf map.
  • restricted : closely restricted profile the place entry is denied for all processes.

• Allowed or blocked operations/instructions:

  Underneath the permit|privileged or baseline profiles, a listing of allowed or blocked instructions will be specified and can be utilized.

  • --protection-allow : comma-separated checklist of allowed operations. Legitimate beneath baseline profile, that is helpful for purposes which are too particular and carry out privileged operations. It can cut back the usage of the permit | privileged profile, so as a substitute of utilizing the privileged profile, we are able to specify the baseline one and add a set of allowed instructions to supply a case-by-case definition for such purposes.
  • --protection-block : comma-separated checklist of blocked operations. Legitimate beneath permit|privileged and baseline profiles, it permits to limit entry to some options with out utilizing the complete restricted profile that may break some particular purposes. Utilizing baseline or privileged profiles opens the gate to entry most Linux options, however with the --protection-block possibility a few of this entry will be blocked.

For bpf safety examples test bpflock configuration examples

3. Deployment

3.1 Stipulations

bpflock wants the next: