bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3

. 78 Debian Reference viii 3 The system initialization 79 3.1 An overview of the boot strap process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 3.1.1 Stage 1: program activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 9.4.1 Timing a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 9.4.5 Listing files opened by a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 9.4.6 Tracing

Introduction ............................... xiv 4.6. Context Setting .......................... xiv 4.7. Main Body ................................ xiv 5. Summary ........................................... comfort with Ubuntu. • Use presentation slides to stay on topic and avoid getting lost and cover the main points without forgetting anything. Glance at a specific point and quickly return attention to the important from learner's perspective. • Providing a link from the previous to the current topic. 4.7. Main Body You could use any or all of the Instructional methods listed above. However, depending on the

will be applied to the disks. In either case, the installer moves onto the main storage customisation screen. 22 The main storage screen This screen presents a summary of the current storage configuration Environment” (PXE) specification, which allows the provisioning of a bootloader over the network. The process for network booting the live server installer is similar for both modes and goes like this: 1. The boot 1. Download pxelinux.0 and put it into place: wget http://archive.ubuntu.com/ubuntu/dists/eoan/main/installer-amd64/current/images/netboot/ubuntu- installer/amd64/pxelinux.0 mkdir -p /srv/tftp mv

.............................................................................. 94 A. Software Process List ........................................................................................... SERIALNUMBER=TBBBB1182827 MODELNAME=UC-8220-T-LX-US-S SECUREBOOT=Enabled The following table compares the main features in the standard and secure models. Standard Model Secured Model IEC 62443-4-2 SL2 according to the Serial Console Port Settings table provided. 6. Select Save setup as dfl (from the main configuration menu) to use default values. 7. Select Exit from minicom (from the configuration

different ways that Ubuntu Server Edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- two editions are the lack of an X window environment in the Server Edition and the installation process. 2 https://wiki.ubuntu.com/S390X/InstallationGuide 4 Installation 1.2.1. Kernel Differences: containing the ISO file. • At the boot prompt you will be asked to select a language. • From the main boot menu there are some additional options to install Ubuntu Server Edition. You can install a basic

according to the criteria used by the Debian GNU/Linux project and thus cannot be included in the main distribution. If the device driver itself is included in the dis- tribution and if Debian GNU/Linux security updates. This usually means that the non-free-firmware component gets enabled, in addition to main. Users who wish to disable firmware lookup entirely can do so by setting the firmware=never boot parameter to allow you to install certain additional software. Many more actors play smaller parts in this process, but debian-installer has completed its task when you load the new system for the first time. To

Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties Developer’s Certificate of Origin Development Setup Verifying Your repositories Update cilium-builder and cilium-runtime images Nightly Docker image Image Building Process Code Overview High-level Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Release Cadence Backporting process Backport Criteria Backporting Guide for the Backporter Backporting Guide for Others Generic Release Process GitHub template process Reference steps for the template

Contributor Guide Setting up the development environment Development process End-To-End Testing Framework How to contribute Pull request review process Building Container Images Documentation Developer’s Certificate Release Cadence Stable releases LTS Generic Release Process GitHub template process Reference steps for the template Minor Release Process Backporting process CI / Jenkins Jobs Overview Triggering Pull-Request dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label definitions. Metrics export via Prometheus:

Contributor Guide Se�ng up the development environment Development process End-To-End Tes�ng Framework How to contribute Pull request review process Building Container Images Documenta�on CI / Jenkins Release dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label defini�ons. Metrics export via Prometheus: released Cilium version [h�ps://github.com/cilium/cilium/releases] by edi�ng roles/download/defaults/main.yml . Open the file, search for cilium_version , and replace the version with the latest released