bpflock – eBPF pushed safety for locking and auditing Linux machines.
Word: bpflock is at present in experimental stage, it might break, choices and safety semantics could change, some BPF applications can be up to date to make use of Cilium ebpf library.
1. Introduction
bpflock makes use of eBPF to power Linux safety. By limiting entry to a varied vary of Linux options, bpflock is ready to cut back the assault floor and block some well-known assault methods.
Solely applications like container managers, systemd and different containers/applications that run within the host pid and community namespaces are allowed entry to full Linux options, containers and purposes that run on their very own namespace can be restricted. If bpflock bpf applications run beneath the restricted
profile then all applications/containers together with privileged ones could have their entry denied.
bpflock protects Linux machines by profiting from a number of safety features together with Linux Safety Modules + BPF.
Structure and Safety design notes:
- bpflock isn’t a compulsory entry management labeling resolution, and it doesn’t intent to switch AppArmor, SELinux, and different MAC options. bpflock makes use of a easy declarative safety profile.
- bpflock gives a number of small bpf applications that may be reused in a number of contexts from Cloud Native deployments to Linux IoT gadgets.
- bpflock is ready to prohibit root from accessing sure Linux options, nonetheless it doesn’t shield in opposition to evil root.
2. Performance Overview
2.1 Safety features
bpflock provide a number of safety protections that may be labeled as:
2.2 Semantics
bpflock retains the safety semantics easy. It assist three world profiles to broadly cowl the safety sepctrum, and prohibit entry to particular Linux options.
-
profile
: that is the worldwide profile that may be utilized per bpf program, it takes one of many followings:permit|none|privileged
: they’re the identical, they outline the least safe profile. On this profile entry is logged and allowed for all processes. Helpful to log safety occasions.baseline
: restrictive profile the place entry is denied for all processes, besides privileged purposes and containers that run within the host namespaces, or per cgroup allowed profiles within thebpflock_cgroupmap
bpf map.restricted
: closely restricted profile the place entry is denied for all processes.
-
Allowed
orblocked
operations/instructions:Underneath the
permit|privileged
orbaseline
profiles, a listing of allowed or blocked instructions will be specified and can be utilized.--protection-allow
: comma-separated checklist of allowed operations. Legitimate beneathbaseline
profile, that is helpful for purposes which are too particular and carry out privileged operations. It can cut back the usage of thepermit | privileged
profile, so as a substitute of utilizing theprivileged
profile, we are able to specify thebaseline
one and add a set of allowed instructions to supply a case-by-case definition for such purposes.--protection-block
: comma-separated checklist of blocked operations. Legitimate beneathpermit|privileged
andbaseline
profiles, it permits to limit entry to some options with out utilizing the completerestricted
profile that may break some particular purposes. Utilizingbaseline
orprivileged
profiles opens the gate to entry most Linux options, however with the--protection-block
possibility a few of this entry will be blocked.
For bpf safety examples test bpflock configuration examples
3. Deployment
3.1 Stipulations
bpflock wants the next: