lockc
lockc copied to clipboard
lockc-project
Making containers more secure with eBPF and Linux Security Modules (LSM)
lockc record all process of a container. If the process exits, the process is still stored in the processes map, but the process is unused for the container. So I...
https://lore.kernel.org/bpf/[email protected]/ There is a kernel patchset which allows to attach BPF LSM programs to cgroups. If I understand it correctly, that would allow us to get rid of "container monitoring"...
When deployed on k3d, lockc policies don't work at all. Those deployments are succeeding: https://github.com/lockc-project/lockc/blob/main/examples/kubernetes/deployments-should-fail.yaml
### Cluster Information - minikube installed with eBPF support. You can find the code at [kinvolk/cloud-native-bpf-workshop](https://github.com/kinvolk/cloud-native-bpf-workshop/blob/master/minikube.md) - Apart from this, tried installing it on a [lokomotive](https://github.com/kinvolk/lokomotive) cluster on Azure. It...
Currently Linux distributions don't enable BPF LSM by default. Enabling it requires editing GRUB configuration and providing custom kernel parameter like: ``` GRUB_CMDLINE_LINUX="lsm=lockdown,capability,bpf" ``` This is not really convenient and...
In latest version of lockc we can observer new issue: ``` mjura@gecko:~/lockc> kubectl exec -ti myapp-57654f69bc-gdbmc -- bash error: Internal error occurred: error executing command in container: failed to exec...
Currently we put allowed mount paths in a BPF hash map, where those paths are values and for cheching each mount, we iterate over that whole map and search for...
So far we are using Github Actions to run tests and checkers. The problem is that all `ubuntu-latest` Github Actions have quite an old kernel, too old for us. If...
Environment: ubuntu 21.04 kernel 5.11.0 1. It fails to load epf-lsm program. `Error: the BPF_PROG_LOAD syscall failed. Verifier output: func#0 @0 number of funcs in func_info doesn't match number of...
I have use command `DOCKER_BUILDKIT=1 dapper cargo build` to build lockc. then I want to test, but it failed. `# dapper cargo test` Sending build context to Docker daemon 9.758MB...
Metadata
Owner
Metadata
Making containers more secure with eBPF and Linux Security Modules (LSM)