bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3

two editions are the lack of an X window environment in the Server Edition and the installation process. 2 https://wiki.ubuntu.com/S390X/InstallationGuide 4 Installation 1.2.1. Kernel Differences: After booting into the installer, it will ask you which language to use. • Next, the installation process begins by asking for your keyboard layout. You can ask the installer to attempt auto-detecting it include a graphical installation program. The debian- installer installer uses a console menu based process instead. • Download the appropriate ISO file from the Ubuntu web site7. • Boot the system from

Environment” (PXE) specification, which allows the provisioning of a bootloader over the network. The process for network booting the live server installer is similar for both modes and goes like this: 1. The and subiquity in UEFI mode with Ubuntu 20.04 (or later). The process is applicable to both of the architectures, arm64 and amd64. This process is inpired by this Ubuntu Discourse post for legacy mode, which serve necessary files for netbooting. Necessary Files There are several files needed for this process. The following files are needed: • Ubuntu live server image – For arm64 architecture, its image

. 78 Debian Reference viii 3 The system initialization 79 3.1 An overview of the boot strap process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 3.1.1 Stage 1: program activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 9.4.1 Timing a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 9.4.5 Listing files opened by a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 9.4.6 Tracing

tries to ensure them to be compatible with the latest set of packages in the testing archive. This process makes the testing archive very current and usable. Através do processo de congelamento gradual do UEFI specification. When a computer is powered on, the boot manager is the 1st stage of the boot process which checks the boot configuration and based on its settings, then executes the specified OS boot used instead.) 3.1.2 Estágio 2: o gestor de arranque The boot loader is the 2nd stage of the boot process which is started by the UEFI. It loads the system kernel image and the initrd image to the memory

tries to ensure them to be compatible with the latest set of packages in the testing archive. This process makes the testing archive very current and usable. Durch den abgestuften, vom Release-Team gesteuerten Debian system starts, /usr/sbin/init symlinked to /usr/lib/systemd is started as the init system process (PID=1) owned by root (UID=0). See systemd(1). Der systemd-Init-Prozess wird - basierend auf den /lib/systemd/system --user is started as the user service manager process owned by the corresponding user. See systemd(1). The systemd user service manager process spawns processes in parallel based on the declarative

Debian system starts, /usr/sbin/init symlinked to /usr/lib/systemd is started as the init system process (PID=1) owned by root (UID=0). See systemd(1). systemd 初始化进程基于单元配置文件 (参见 systemd.unit(5)) 来并行派生进程，这些单元配置文件使用声明样式 /lib/systemd/system --user is started as the user service manager process owned by the corresponding user. See systemd(1). The systemd user service manager process spawns processes in parallel based on the declarative up by creating a data source file ”/etc/netplan/00-network-manager.yaml”: network: version: 2 renderer: NetworkManager 5.5 底层网络配置 在 Linux 上的底层网络配置，使用 iproute2 程序 (ip(8), …) . 5.5.1 Iproute2 命令 Iproute2

Debian system starts, /usr/sbin/init symlinked to /usr/lib/systemd is started as the init system process (PID=1) owned by root (UID=0). See systemd(1). systemd 初始化程序基於單元配置檔案 (參見 systemd.unit(5)) 來並行派生程序，這些單元配置檔案使用宣告樣式 /lib/systemd/system --user is started as the user service manager process owned by the corresponding user. See systemd(1). The systemd user service manager process spawns processes in parallel based on the declarative up by creating a data source file ”/etc/netplan/00-network-manager.yaml”: network: version: 2 renderer: NetworkManager 5.5 底層網路調配 在 Linux 上的底層網路配置，使用 iproute2 程式 (ip(8), …) . 5.5.1 Iproute2 指令 Iproute2

du système Le système informatique subit plusieurs phases de processus d’amorçage (« boot strap process ») depuis l’événement de mise sous tension jusqu’à ce qu’il offre à l’utilisateur un système d’exploitation créant un fichier de données source « /etc/netplan/00-network-manager.yaml » : network: version: 2 renderer: NetworkManager 5.5 Configuration réseau de bas niveau Pour la configuration réseau de bas niveau

creando un file di sorgente di dati ”/etc/netplan/00-network-manager.yaml”: network: version: 2 renderer: NetworkManager 5.5 Configurazione della rete a basso livello Per la configurazione di rete a