SlideShare une entreprise Scribd logo

Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing

Anne Nicolas
Anne Nicolas

Linux has multiple access-control features, which help to contain the damage from a malicious process. However, it is difficult and complex, especially for unprivileged users, to create a sandboxed application because of the currently administrator-oriented security. seccomp-bpf was a big step forward in empowering any user with the ability to filter syscalls and therefore limit access to some resources. Nevertheless, it lacks the ability to create a full standalone sandbox (e.g. restrict access to a set of files), unlike Seatbelt/XNU Sandbox or OpenBSD Pledge. In this talk, we present Landlock, a new Linux Security Module for unprivileged users. This brings some interesting challenges, from architecture design to userland API definition. Mickaël Salaün

Logiciels
1  sur  23
Télécharger pour lire hors ligne
[RFC] Landlock LSM: Unprivileged sandboxing Micka¨el Sala¨un September 29, 2016 1 / 12
Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports 2 / 12
Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers 2 / 12
Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers What is concerned? applications with built-in sandboxing sandboxing managers 2 / 12
How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) 3 / 12
How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup 3 / 12
How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup Demo 3 / 12
Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge 4 / 12
Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge Why existing features do not fit in with this model? SELinux, AppArmor, Smack or Tomoyo seccomp-BPF (user) namespaces 4 / 12
Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time 5 / 12
Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time Constraints for an unprivileged access control minimal attack surface prevent DoS do not leak sensitive kernel data avoid confused deputy attack multiple independent and stackable rules 5 / 12
Using eBPF to express access rules extended Berkeley Packet Filter in-kernel bytecode machine: optimized to be easily JITable arithmetic operations, comparisons, jump forward, function calls restricted memory read/write (i.e. program context and stack) exchange data through maps between eBPF programs and userland a program return a 32-bit value static program verification at load time: memory access checks register typing and tainting pointer leak restrictions widely used in the kernel: network filtering, tracing. . . 6 / 12
How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall 7 / 12
How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall Landlock rules a rule is tied to one LSM hook some LSM hook arguments available in the eBPF program context use maps to store kernel object references (e.g. struct file) dedicated functions to compare kernel objects 7 / 12
New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry 8 / 12
New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) 8 / 12
New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities 8 / 12
New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities cgroups attachment (by Daniel Mack) extend bpf(2) to be able to tie an eBPF program to a cgroup 8 / 12
A Landlock rule for the file permission hook (C) 1 err = bpf_landlock_cmp_fs_beneath (0, map_fs , 2 BPF_MAP_ARRAY_OP_OR , ctx ->args [0]); 3 if (!err) 4 return 0; 5 return EACCES; 9 / 12
A Landlock rule for the file permission hook (eBPF) 1 /* specify an option , if any */ 2 BPF_MOV32_IMM(BPF_REG_1 , 0), 3 /* handles to compare with */ 4 BPF_LD_MAP_FD(BPF_REG_2 , map_fs), 5 BPF_MOV64_IMM(BPF_REG_3 , BPF_MAP_ARRAY_OP_OR ), 6 /* hook argument (struct file) */ 7 BPF_LDX_MEM(BPF_DW , BPF_REG_4 , BPF_REG_6 , 8 offsetof(struct landlock_data , args [0])) , 9 /* checker function */ 10 BPF_EMIT_CALL( BPF_FUNC_landlock_cmp_fs_beneath ), 11 /* if the file is beneath a handle from the map */ 12 BPF_JMP_IMM(BPF_JNE , BPF_REG_0 , 0, 1), 13 BPF_EXIT_INSN (), 14 /* deny by default , if any error */ 15 BPF_MOV32_IMM(BPF_REG_0 , EACCES), 16 BPF_EXIT_INSN (), 10 / 12
Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs 11 / 12
Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs cgroup: container sandboxing restrict processes from a cgroup complementary to rules for process hierarchies handle cgroup delegation with no new privs 11 / 12
Landlock LSM: Wrap-up Unprivileged sandboxing use eBPF programs as access control rules applied through seccomp or tied to a cgroup can handle privileged features limited attack surface efficient and flexible https://lwn.net/Articles/700607 mic@digikod.net @l0kod 12 / 12

Recommandé

Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareKernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareAnne Nicolas
 
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningKernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningAnne Nicolas
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingKernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
OpenZFS - AsiaBSDcon
OpenZFS - AsiaBSDconOpenZFS - AsiaBSDcon
OpenZFS - AsiaBSDconMatthew Ahrens
 
OpenZFS code repository
OpenZFS code repositoryOpenZFS code repository
OpenZFS code repositoryMatthew Ahrens
 

Recommandé

Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareKernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareAnne Nicolas
 
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningKernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningAnne Nicolas
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingKernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
OpenZFS - AsiaBSDcon
OpenZFS - AsiaBSDconOpenZFS - AsiaBSDcon
OpenZFS - AsiaBSDconMatthew Ahrens
 
OpenZFS code repository
OpenZFS code repositoryOpenZFS code repository
OpenZFS code repositoryMatthew Ahrens
 
OpenZFS Channel programs
OpenZFS Channel programsOpenZFS Channel programs
OpenZFS Channel programsMatthew Ahrens
 
OpenZFS send and receive
OpenZFS send and receiveOpenZFS send and receive
OpenZFS send and receiveMatthew Ahrens
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPFRogerColl2
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
 
Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstAnne Nicolas
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyAnne Nicolas
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014Matthew Ahrens
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationLinaro
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me_xhr_
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productAnne Nicolas
 
Experimental dtrace
Experimental dtraceExperimental dtrace
Experimental dtraceMatthew Ahrens
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Dru Lavigne
 
gLite Data Management System
gLite Data Management SystemgLite Data Management System
gLite Data Management SystemLeandro Ciuffo
 

Contenu connexe

Tendances

OpenZFS Channel programs
OpenZFS Channel programsOpenZFS Channel programs
OpenZFS Channel programsMatthew Ahrens
 
OpenZFS send and receive
OpenZFS send and receiveOpenZFS send and receive
OpenZFS send and receiveMatthew Ahrens
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPFRogerColl2
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
 
Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstAnne Nicolas
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyAnne Nicolas
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationLinaro
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me_xhr_
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productAnne Nicolas
 

Tendances (20)

OpenZFS Channel programs
OpenZFS Channel programsOpenZFS Channel programs
OpenZFS Channel programs
 
OpenZFS send and receive
OpenZFS send and receiveOpenZFS send and receive
OpenZFS send and receive
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a product
 
Experimental dtrace
Experimental dtraceExperimental dtrace
Experimental dtrace
 

Similaire à Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing

Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Dru Lavigne
 
gLite Data Management System
gLite Data Management SystemgLite Data Management System
gLite Data Management SystemLeandro Ciuffo
 
Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Greg Banks
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesRobert Lemke
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFlexTiles Team
 
Technical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauTechnical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauMapR Technologies
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link AccessLJ PROJECTS
 
Flink Apachecon Presentation
Flink Apachecon PresentationFlink Apachecon Presentation
Flink Apachecon PresentationGyula Fóra
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyNugroho Gito
 
Firebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureFirebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureAlexey Kovyazin
 
Working with the IFS on System i
Working with the IFS on System iWorking with the IFS on System i
Working with the IFS on System iChuck Walker
 
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOVirtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOPaolo Cristofaro
 
Dissertation defense
Dissertation defenseDissertation defense
Dissertation defensemarek_pomocka
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 

Similaire à Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing (20)

Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
 
gLite Data Management System
gLite Data Management SystemgLite Data Management System
gLite Data Management System
 
Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
 
Technical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauTechnical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques Nadeau
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link Access
 
Flink Apachecon Presentation
Flink Apachecon PresentationFlink Apachecon Presentation
Flink Apachecon Presentation
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
 
Firebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureFirebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The Future
 
Working with the IFS on System i
Working with the IFS on System iWorking with the IFS on System i
Working with the IFS on System i
 
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOVirtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
 
Sockets and Socket-Buffer
Sockets and Socket-BufferSockets and Socket-Buffer
Sockets and Socket-Buffer
 
Dissertation defense
Dissertation defenseDissertation defense
Dissertation defense
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 

Plus de Anne Nicolas

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureAnne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialAnne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconAnne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureAnne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerAnne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationAnne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaAnne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPAnne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Anne Nicolas
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyAnne Nicolas
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 

Plus de Anne Nicolas (20)

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
 

Dernier

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Dernier (20)

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing

  • 1. [RFC] Landlock LSM: Unprivileged sandboxing Micka¨el Sala¨un September 29, 2016 1 / 12
  • 2. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports 2 / 12
  • 3. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers 2 / 12
  • 4. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers What is concerned? applications with built-in sandboxing sandboxing managers 2 / 12
  • 5. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) 3 / 12
  • 6. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup 3 / 12
  • 7. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup Demo 3 / 12
  • 8. Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge 4 / 12
  • 9. Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge Why existing features do not fit in with this model? SELinux, AppArmor, Smack or Tomoyo seccomp-BPF (user) namespaces 4 / 12
  • 10. Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time 5 / 12
  • 11. Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time Constraints for an unprivileged access control minimal attack surface prevent DoS do not leak sensitive kernel data avoid confused deputy attack multiple independent and stackable rules 5 / 12
  • 12. Using eBPF to express access rules extended Berkeley Packet Filter in-kernel bytecode machine: optimized to be easily JITable arithmetic operations, comparisons, jump forward, function calls restricted memory read/write (i.e. program context and stack) exchange data through maps between eBPF programs and userland a program return a 32-bit value static program verification at load time: memory access checks register typing and tainting pointer leak restrictions widely used in the kernel: network filtering, tracing. . . 6 / 12
  • 13. How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall 7 / 12
  • 14. How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall Landlock rules a rule is tied to one LSM hook some LSM hook arguments available in the eBPF program context use maps to store kernel object references (e.g. struct file) dedicated functions to compare kernel objects 7 / 12
  • 15. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry 8 / 12
  • 16. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) 8 / 12
  • 17. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities 8 / 12
  • 18. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities cgroups attachment (by Daniel Mack) extend bpf(2) to be able to tie an eBPF program to a cgroup 8 / 12
  • 19. A Landlock rule for the file permission hook (C) 1 err = bpf_landlock_cmp_fs_beneath (0, map_fs , 2 BPF_MAP_ARRAY_OP_OR , ctx ->args [0]); 3 if (!err) 4 return 0; 5 return EACCES; 9 / 12
  • 20. A Landlock rule for the file permission hook (eBPF) 1 /* specify an option , if any */ 2 BPF_MOV32_IMM(BPF_REG_1 , 0), 3 /* handles to compare with */ 4 BPF_LD_MAP_FD(BPF_REG_2 , map_fs), 5 BPF_MOV64_IMM(BPF_REG_3 , BPF_MAP_ARRAY_OP_OR ), 6 /* hook argument (struct file) */ 7 BPF_LDX_MEM(BPF_DW , BPF_REG_4 , BPF_REG_6 , 8 offsetof(struct landlock_data , args [0])) , 9 /* checker function */ 10 BPF_EMIT_CALL( BPF_FUNC_landlock_cmp_fs_beneath ), 11 /* if the file is beneath a handle from the map */ 12 BPF_JMP_IMM(BPF_JNE , BPF_REG_0 , 0, 1), 13 BPF_EXIT_INSN (), 14 /* deny by default , if any error */ 15 BPF_MOV32_IMM(BPF_REG_0 , EACCES), 16 BPF_EXIT_INSN (), 10 / 12
  • 21. Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs 11 / 12
  • 22. Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs cgroup: container sandboxing restrict processes from a cgroup complementary to rules for process hierarchies handle cgroup delegation with no new privs 11 / 12
  • 23. Landlock LSM: Wrap-up Unprivileged sandboxing use eBPF programs as access control rules applied through seccomp or tied to a cgroup can handle privileged features limited attack surface efficient and flexible https://lwn.net/Articles/700607 mic@digikod.net @l0kod 12 / 12