bpflock - Lock Linux machines
bpflock - eBPF driven security for locking and auditing Linux machines.
This is a Work In Progress:
bpflockis currently in experimental stage and some BPF programs are being updated.
Programs will be updated soon to use Cilium ebpf library and turned into a small daemon.
bpflock is designed to work along side, init programs, systemd or container managers to protect Linux machines using a system wide approach. The
"plan" is to make it usable on kubernetes deployments, servers, Linux-IoT devices, and work stations.
bpflock combines multiple bpf independent programs to restrict access to a wide range of Linux features, only services like init, systemd or container managers that run in the initial mnt namespace will be able to access all Linux kernel features, other tasks including containers that run on their own namespaces will be restricted or completely blocked.
bpflock uses LSM BPF to implement its security features.
bpflock is able to restrict root access to some features, however it does not protect against evil root users. Such users are able to disable
/sys file system is writable.
1.1 Security features
bpflock bpf programs offer multiple security protections and are able to restrict access to the following features:
- Read-only root filesystem protection
- sysfs protection
The semantic of all programs is:
Permission: each program supports three different permission models.
allow|none: access is allowed.
deny: access is denied for all processes.
restrict: access is allowed only from processes that are in the initial mnt and other namespaces. This allows init, systemd and container managers to properly access all functionality.
Allowed or blocked operations/commands: when a program runs under the allow or restrict permission model, it can defines a list of allowed or blocked commands.
allow: comma-separated list of allowed commands.
block: comma-separated list of blocked commands.
First we need the right dependencies:
This repository uses libbpf as a git-submodule. After cloning this repository you need to run the command:
git submodule update --init
If you want submodules to be part of the clone, you can use this command:
git clone --recurse-submodules https://github.com/linux-lock/bpflock
Tested on a kernel 5.15.0-rc5+ (will pin to 5.15 when released) with the following options:
CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_BTF=y CONFIG_KPROBES=y CONFIG_LSM="...,bpf" CONFIG_BPF_LSM=y
2.3 Libraries and compilers
To build install the following packages:
sudo apt install -y bison build-essential flex \ git libllvm10 llvm-10-dev libclang-10-dev \ zlib1g-dev libelf-dev libfl-dev
2.4 Build binaries
Get libbpf if not:
git submodule update --init
To build just run:
All build binaries and libraries will be produced in
Current build process was inspired from: https://github.com/iovisor/bcc/tree/master/libbpf-tools