bpf: add a few hooks for sandboxing#11113
Open
kernel-patches-daemon-bpf[bot] wants to merge 4 commits intobpf-next_basefrom
Open
bpf: add a few hooks for sandboxing#11113kernel-patches-daemon-bpf[bot] wants to merge 4 commits intobpf-next_basefrom
kernel-patches-daemon-bpf[bot] wants to merge 4 commits intobpf-next_basefrom
Conversation
Author
|
Upstream branch: 9cd168a |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
44a817a to
f2fe5c4
Compare
Author
|
Upstream branch: 3ecf0b4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1055733=>bpf-next
branch
from
355f2e7 to
0f56569
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
f2fe5c4 to
6d7fcf3
Compare
Author
|
Upstream branch: 3ecf0b4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1055733=>bpf-next
branch
from
0f56569 to
3a13eaa
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
6d7fcf3 to
0badfef
Compare
Author
|
Upstream branch: 0d6bc03 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1055733=>bpf-next
branch
from
3a13eaa to
3bb055d
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
0badfef to
f36b93f
Compare
Add the three namespace lifecycle hooks and make them available to bpf lsm program types. This allows bpf to supervise namespace creation. I'm in the process of adding various "universal truth" bpf programs to systemd that will make use of this. This e.g., allows to lock in a program into a given set of namespaces. Signed-off-by: Christian Brauner <brauner@kernel.org>
Add a hook to manage attaching tasks to cgroup. I'm in the process of adding various "universal truth" bpf programs to systemd that will make use of this. This has been a long-standing request (cf. [1] and [2]). It will allow us to enforce cgroup migrations and ensure that services can never escape their cgroups. This is just one of many use-cases. Link: systemd/systemd#6356 [1] Link: systemd/systemd#22874 [2] Signed-off-by: Christian Brauner <brauner@kernel.org>
Add a BPF LSM selftest that implements a "lock on entry" namespace sandbox policy. Signed-off-by: Christian Brauner <brauner@kernel.org>
Author
|
Upstream branch: 055d8dd |
Signed-off-by: Christian Brauner <brauner@kernel.org>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1055733=>bpf-next
branch
from
3bb055d to
8f59025
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: add a few hooks for sandboxing
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1055733