bpflock - eBPF driven security for locking and auditing Linux machines


bpflock - Lock Linux machines

bpflock - eBPF driven security for locking and auditing Linux machines.

This is a Work In Progress:

  • bpflock is currently in experimental stage and some BPF programs are being updated.

  • Programs will be updated soon to use Cilium ebpf library and turned into a small daemon.


1. Introduction

bpflock is designed to work along side, init programs, systemd or container managers to protect Linux machines using a system wide approach. The "plan" is to make it usable on kubernetes deployments, servers, Linux-IoT devices, and work stations.

bpflock combines multiple bpf independent programs to restrict access to a wide range of Linux features, only services like init, systemd or container managers that run in the initial mnt namespace will be able to access all Linux kernel features, other tasks including containers that run on their own namespaces will be restricted or completely blocked.

bpflock uses LSM BPF to implement its security features.

Note: bpflock is able to restrict root access to some features, however it does not protect against evil root users. Such users are able to disable bpflock if /sys file system is writable.

1.1 Security features

bpflock bpf programs offer multiple security protections and are able to restrict access to the following features:

1.2 Semantics

The semantic of all programs is:

  • Permission: each program supports three different permission models.

    • allow|none: access is allowed.
    • deny: access is denied for all processes.
    • restrict: access is allowed only from processes that are in the initial mnt and other namespaces. This allows init, systemd and container managers to properly access all functionality.
  • Allowed or blocked operations/commands: when a program runs under the allow or restrict permission model, it can defines a list of allowed or blocked commands.

    • allow: comma-separated list of allowed commands.
    • block: comma-separated list of blocked commands.

2. Build

First we need the right dependencies:

2.1 libbpf

This repository uses libbpf as a git-submodule. After cloning this repository you need to run the command:

git submodule update --init

If you want submodules to be part of the clone, you can use this command:

git clone --recurse-submodules https://github.com/linux-lock/bpflock

2.2 kernel

Tested on a kernel 5.15.0-rc5+ (will pin to 5.15 when released) with the following options:


2.3 Libraries and compilers


To build install the following packages:

sudo apt install -y bison build-essential flex \
      git libllvm10 llvm-10-dev libclang-10-dev \
      zlib1g-dev libelf-dev libfl-dev

2.4 Build binaries

Get libbpf if not:

git submodule update --init

To build just run:


All build binaries and libraries will be produced in build/dist/ directory.

Current build process was inspired from: https://github.com/iovisor/bcc/tree/master/libbpf-tools

4. Deployment

  • bpf: rework bpf programs into same models.BpfPrograms for API usage

    bpf: rework bpf programs into same models.BpfPrograms for API usage

    Switch to the new model of handling bpf programs regardless of the library that was used, either cilium/ebpf or libbpf. This way we have same model for both embedded and external bpf programs.

    This will allow later to serve current state of bpf through the API.

    opened by tixxdz 0
The Linux lock machine projects
The Linux lock machine projects
The Linux lock machine projects
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 650 Aug 3, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 844 Aug 7, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 255 Aug 7, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

elastic 110 Aug 4, 2022
DOS Web browser for 8088 class machines

MicroWeb MicroWeb is a web browser for DOS! It is a 16-bit real mode application, designed to run on minimal hardware. Minimum requirements To run you

null 235 Aug 1, 2022
Steve's Unreal Quest System: data-driven quest system for UE4

Steve's Unreal Quest System (SUQS) What Is It? SUQS is a simple, data-driven quest system for UE4. It helps you define quest structures for your game,

Steve Streeting 58 Jul 29, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 108 Aug 5, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 64 Aug 4, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 174 Aug 12, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.5k Aug 11, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 140 Jul 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 11 Aug 4, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Aug 3, 2022