BPFContain

BPFContain is a container security daemon for GNU/Linux leveraging the power and safety of eBPF and Rust.

Disclaimer: BPFContain is still in active development and is not yet feature-complete. In particular: Docker support is a work in progress; the policy language may change at any time; and the enforcement engine is not optimized.

Roadmap

BPFContain is neither perfect nor complete. In fact, there are several major action items planned for future iterations on the BPFContain prototype. These items represent good candidates for future pull requests. You can find the list here.

Quick Start

You can try out BPFContain using Vagrant along with the provided Vagrantfile. All you need to do is install Vagrant (along with a virtualization provider like VirtualBox or KVM) and run vagrant up && vagrant ssh. You can run tests with vagrant ssh -c "cargo test".

How to Install

Requirements

To compile and run BPFContain:

Linux kernel version >= 5.10

Kernel should be compiled with at least the following build flags:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_TRACEPOINTS=y
CONFIG_BPF_LSM=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_BTF=y
# (Note: This can also be set in kernel arguments via your bootloader, e.g. grub)
CONFIG_LSM="bpf"

Kernel should be compiled with pahole >= 0.16 installed to generate BTF info

An up-to-date version of Clang and LLVM (BPFContain is tested on version 12.0 and up)
Latest version of stable Rust and Cargo (curl https://sh.rustup.rs -sSf | sh)
Other dependencies should be handled by Cargo

If you want/need to generate a new vmlinux.h (e.g. to support a non-standard kernel):

You must install bpftool from your kernel sources
- Available in tools/bpf/bpftool in Linus' source tree
The build script that comes with BPFContain should generate the correct vmlinux.h before compiling the BPF programs

Installation

Make sure you have all the dependencies above.
Clone this repo: git clone https://github.com/willfindlay/bpfcontain-rs/ && cd bpfcontain-rs
Install BPFContain: cargo install --path .
Add $HOME/.cargo/bin to your $PATH

Usage

Run the daemon once in the foreground to create all necessary files and directories
- sudo bpfcontain daemon fg
- Ctrl-C to stop
Install policy in /var/lib/bpfcontain/policy
Start the daemon:
- sudo bpfcontain daemon start
Run confined programs:
- bpfcontain run <policy.yml> where policy is the name of your policy

Docker usage

Docker README

Policy Language

BPFContain policy is written in YAML. You can have a look at the example policy or read the policy documenation (TODO: policy documentation).

Todo List

Higher level policy rules
- Full policy language documentation
Add virtualization support
- should probably be OCI-compliant
- can integrate with policy (e.g. mount policy with overlayfs can replace file/filesystem policy entirely)

Name		Name	Last commit message	Last commit date
Latest commit History 432 Commits
.cargo		.cargo
.github/workflows		.github/workflows
config		config
examples		examples
notes		notes
scripts		scripts
src		src
tests		tests
.ccls		.ccls
.gitattributes		.gitattributes
.gitignore		.gitignore
ARCHITECTURE.md		ARCHITECTURE.md
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
DOCKER.md		DOCKER.md
LICENSE		LICENSE
README.md		README.md
ROADMAP.md		ROADMAP.md
Vagrantfile		Vagrantfile
bindings.h		bindings.h
build.rs		build.rs
deny.toml		deny.toml

License

willfindlay/bpfcontain-rs

Folders and files

Latest commit

History

Repository files navigation

BPFContain

Roadmap

Quick Start

How to Install

Requirements

Installation

Usage

Docker usage

Policy Language

Todo List

About

Resources

License

Stars

Watchers

Forks

Languages