bpflock uses eBPF to strength Linux security. By restricting access to a various range of Linux features, bpflock is able to reduce the attack surface and block some well known attack techniques.
Only programs like container managers, systemd and other containers/programs that run in the host pid and network namespaces are allowed access to full Linux features, containers and applications that run on their own namespace will be restricted. If bpflock bpf programs run under the restricted
profile then all programs/containers including privileged ones will have their access denied.
bpflock protects Linux machines by taking advantage of multiple security features including Linux Security Modules + BPF.
Architecture and Security design notes:
bpflock offer multiple security protections that can be classified as:
bpflock keeps the security semantics simple. It support three global profiles to broadly cover the security sepctrum, and restrict access to specific Linux features.
profile
: this is the global profile that can be applied per bpf program, it takes one of the followings:allow|none|privileged
: they are the same, they define the least secure profile. In this profile access is logged and allowed for all processes. Useful to log security events.baseline
: restrictive profile where access is denied for all processes, except privileged applications and containers that run in the host namespaces, or per cgroup allowed profiles in the bpflock_cgroupmap
bpf map.restricted
: heavily restricted profile where access is denied for all processes.Allowed
or blocked
operations/commands:Under the allow|privileged
or baseline
profiles, a list of allowed or blocked commands can be specified and will be applied.--protection-allow
: comma-separated list of allowed operations. Valid under baseline
profile, this is useful for applications that are too specific and perform privileged operations. It will reduce the use of the allow | privileged
profile, so instead of using the privileged
profile, we can specify the baseline
one and add a set of allowed commands to offer a case-by-case definition for such applications.--protection-block
: comma-separated list of blocked operations. Valid under allow|privileged
and baseline
profiles, it allows to restrict access to some features without using the full restricted
profile that might break some specific applications. Using baseline
or privileged
profiles opens the gate to access most Linux features, but with the --protection-block
option some of this access can be blocked.For bpf security examples check bpflock configuration examples
bpflock needs the following:
CONFIG_BPF_SYSCALL=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_BTF=y
CONFIG_KPROBES=y
CONFIG_LSM=”…,bpf”
CONFIG_BPF_LSM=y
If your kernel was compiled with CONFIG_BPF_LSM=y
check the /boot/config-*
to confirm, but when running bpflock it fails with:
must have a kernel with ‘CONFIG_BPF_LSM=y’ ‘CONFIG_LSM=\”…,bpf\”‘”
Then to enable BPF LSM as an example on Ubuntu:
GRUB_CMDLINE_LINUX
variable and save“lsm=lockdown,capability,yama,apparmor,bpf”
or
GRUB_CMDLINE_LINUX=”lsm=lockdown,capability,yama,apparmor,bpf”
Update grub config with
sudo update-grub2
To run using the default allow
or privileged
profile (the least secure profile):
docker run –name bpflock -it –rm –cgroupns=host \
–pid=host –privileged \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Passing configuration as bind mounts can be achieved using the following command.
Assuming bpflock.yaml and bpf.d profiles configs are in current directory inside bpflock
directory, then we can just use:
ls bpflock/
bpf.d bpflock.d bpflock.yaml
docker run –name bpflock -it –rm –cgroupns=host –pid=host –privileged \
-v $(pwd)/bpflock/:/etc/bpflock \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Passing environment variables can also be done with files using --env-file
. All parameters can be passed as environment variables using the BPFLOCK_$VARIABLE_NAME=VALUE
format.
Example run with environment variables in a file:
docker run –name bpflock -it –rm –cgroupns=host –pid=host –privileged \
–env-file bpflock.env.list \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
bpflock uses docker BuildKit to build and Golang to make some checks and run tests. bpflock is built inside Ubuntu container that downloads the standard golang package.
Run the following to build the bpflock docker container:
git submodule update –init –recursive
make
Bpf programs are built using libbpf. The docker image used is Ubuntu.
If you want to only build the bpf programs directly without using docker, then on Ubuntu:
sudo apt install -y pkg-config bison binutils-dev build-essential \
flex libc6-dev clang-12 libllvm12 llvm-12-dev libclang-12-dev \
zlib1g-dev libelf-dev libfl-dev gcc-multilib zlib1g-dev \
libcap-dev libiberty-dev libbfd-dev
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…