bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are difficult Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3 bcc framework

concurrency The problem Volatiles are of no help Thread-safe data structures Thread confinement fine-grained Thread confinement coarse-grained Mutual exclusion Actors Coroutines can be executed concurrently state or to complex operations that do not have ready-to-use thread-safe implementations. Thread confinement is an approach to the problem of shared mutable state where all access to the particular shared thread-confinement. Each individual increment switches from multi- threaded Dispatchers.Default context to the single-threaded context using withContext block. In practice, thread confinement is performed

44 The problem Volatiles are of no help Thread-safe data structures Thread confinement fine-grained Thread confinement coarse-grained Mutual exclusion Select expression (experimental) Selecting operations that do not have ready-to-use thread-safe implementations. Thread confinement fine-grained Thread confinement is an approach to the problem of shared mutable state where all access to the thread-confinement. Each individual increment switches from multi-threaded Dispatchers.Default context to the single-threaded context using withContext(counterContext) block. Thread confinement coarse-grained

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**:

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**:

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**:

lxc-start run unconfined, but continue to confine the container itself. If you also wish to disable confinement of the container, then in addition to disabling the usr.bin.lxc-start profile, you must add: lxc

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**:

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**:

initializing DBus server, dBusServer == 0` Snapcraft forum topic: https://forum.snapcraft.io/t/classic-confinement-for-dbeaver-ce/27502 ### Workaround While the problem is being fixed, you can use the **workaround**: