Linux containers currently provide limited isolation guarantees. While
containers separate namespaces and partition resources, the patchwork of
mechanisms used to ensure separation cannot guarantee consistent security
semantics. Even worse, attempts to ensure complete coverage results in a
mishmash of policies that are difficult to understand or audit. Here we present
BPFContain, a new container confinement mechanism designed to integrate with
existing container management systems. BPFContain combines a simple yet
flexible policy language with an eBPF-based implementation that allows for
deployment on virtually any Linux system running a recent kernel. In this
paper, we present BPFContain’s policy language, describe its current
implementation as integrated into docker, and present benchmarks comparing it
with current container confinement technologies.

Go to Source of this post
Author Of this post: <a href="">William Findlay</a>, <a href="">David Barrera</a>, <a href="">Anil Somayaji</a>

By admin