►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Extending systemd Security Features with eBPF - Mauricio Vásquez Bernal, Microsoft
systemd uses eBPF to implement certain functionality like IP filtering and accounting. These features have been traditionally implemented by writing the eBPF code directly in eBPF-assembly. It’s an efficient solution but makes their development and maintainability very difficult. Systemd recently got support for libbpf, which opens the door to adding new features much more easily. In this talk Mauricio will explain how two new security features were implemented in systemd using this new integration: RestrictFileSystems and RestrictNetworkInterfaces. RestrictFileSystems allows limiting the filesystem types that processes in a systemd service have access to and RestrictNetworkInterfaces allows limiting the network interfaces that processes in a systemd can use.
A
I
want
to
talk
about
the
security
features
where
array
this
is
in
there
before
with
this
on
of
our
work
so
yeah
before
we
implemented
these
security
features,
csnd
already
supported
some
features
based
on
ebpf
and
the
first
feature
supported
was
the
ip
firewall.
In
this
case.
This
feature
allows
us
to
count
the
ap
packets
based
on
the
ap
and
also
to
deny
or
to
allow
those
packets
based
on
the
ap
address
of
of
those
packets.
A
In
this
case,
those
programs
were
implemented
by
writing
the
ebpf
code
directly
in
assembly.
There
was
some
kind
of
custom
compiler
that
translated
a
configuration
provided
by
the
user
to
the
ebpf
assembly
code.
Another
feature
related
to
ebpf
in
csnd
was
the
costs
and
the
support
for
custom
programs
also
for
the
ap
firewall.
In
this
case,
the
the
user
can
implement
its
own
ebpf
program,
so
the
user
can
compile
the
program
and
the
user
also
is
in
charge
of
loading
and
pinning
the
programs.
A
A
A
A
So
why
is
this
support?
Relevant?
Okay?
The
first
thing
important
for
us
is
that,
by
having
the
support,
this
is
much
easier
to
develop
to
implement
new
ebpf
based
features.
This
is
mainly
because
by
using
libpar,
we
don't
have
to
worry
about
writing
the
code
in
assembly,
so
we
can
write
the
code
inside
to
see
we
can
use
clan
to
compile
to
ebpf
assembly
code
so
yeah.
This
is
much
easier.
A
This
is
just
the
same
as
in
other
programming
languages
that
we
are
usually
writing
the
coding
in
high
level
languages
and
using
a
compiler
to
generate
assembly
code.
This
is
in
the
specific
case
or
ebp.
If
there
is
no
that
many
people
that
is
able
to
write
ebpf
assembly
code
and
yeah,
this
is
slower
to
to
develop
a
functionality
using
assembly,
and
this
is
also
very
difficult
to
maintain,
also
yeah.
A
In
summary,
developing
the
programs
using
c
is
much
easier
and
faster
for
for
us,
the
other
important
factor
about
lvpf
is
that
we
have
the
full
libidpf
api
available.
So
by
using
this
library
where
we
are
able
to
handle
the
different
dpf
objects
in
the
kernel,
so,
for
instance,
we
are
able
to
create
the
maps
we
are
able
to
update,
delete,
get
the
elements
in
a
map.
We
are
able
to
load
the
programs
in
the
kernel
to
attach
those
programs
to
the
different
hook
points
and
so
on.
A
The
tennis
bar
can
be
a
little
bit
obvious,
but
I
want
to
make
it
clear
why
we
chose
to
use
libpf.
So
libyapf
is
the
official
kernel
library
for
ebpfs.
Actually,
this
is
this
library
is
directly
developed
in
the
kernel
source
tree,
so
this
is.
This
is
important
for
us,
because
each
time
there
is
a
new
kernel
feature
related
to
ebpf.
This
support
is
implemented
in
in
liberia,
so
we
can
say
that
libidpf
is
always
updated
to
support
the
latest
kernel,
their
htc
vpf
features
in
the
linux
kernel.
A
Some
of
those
features
that
are
interesting
for
us
regarding
the
implementation
that
we
did
for
ccnt
are
compiled
once
run
everywhere.
So
this
is
a
technology
that
allows
us
to
compile
the
abpf
program.
While
we
compile
the
whole
system
binary
and
then
we
just
deploy
that
program
in
the
different
target
machines
without
having
to
to
recompile
that,
I
will
explain
a
little
bit
more
about
that
in
a
second.
The
second
feature
that
was
interesting
for
us
is
bpf
skeleton,
so
the
bpf
skeleton
is
a
mechanism
that
is
implemented
in
bpf
tool.
A
By
using
it
we
are
able
to
get
a
c
representation.
We
are
able
to
generate
a
skeleton
from
an
bpf
object
file
that
represents
all
the
elements
that
are
inside
that
file.
So,
for
instance,
when
we
route
the
bpf
program
with
the
find
some
maps,
we
define
some
programs
and
so
on
and
we
can
handle
all
of
those
by
using
this
this
skeleton.
So
this
is
a
simplification
that
makes
it
easier
again
to
implement
and
to
handle
the
ebpf
programs
maps
and
so
on.
A
Okay,
so
let's
go
into
the
details
of
the
different
properties
that
we
implement.
Actually,
we
we
did
two
of
them.
The
first
one
is
restoration
network
interfaces,
as
it
is
implicit
in
the
name.
This
is
for
restricting
the
the
network
interfaces
the
processes
can
access.
We
support
both
analog
or
and
deny
list
yeah,
for
instance,
this
co.
This
could
be
used
when
we
know
that
there
is
a
service
that
shouldn't
be
accessing
the
the
internet.
A
So
in
that
case
we
could
whether
we
coordinate
the
traffic
on
the
internet
facing
network
interface,
or
we
could
lock
that
interface
to
the
load
back.
Okay,
sorry,
lock
that
service
to
the
loopback
interface,
so
we
have
different
options.
So
the
idea
is,
if
we
know
the
interfaces
the
assist
assistant
the
service
should
be
using.
Then
we
can
limit
those
interfaces
to
be
sure
that
this
service
is
not
able
to
use
any
other
network
interface
on
the
system.
A
Regarding
the
implementation
of
this
a
future,
we
did
that
by
attaching
two
ebpf
programs
to
the
c
group,
english
and
egress
hawks
of
the
city
service,
and
what
is
nice
about
this
person
group
eppf
program
is
that
we
can
keep
separated
ebpf
programs
for
each
system
this
service.
So
in
this
case,
we
have
two
different
ebpf
programs
for
each
system,
this
service-
that
is
using
this
feature
and
from
the
implementation
point
of
view,
we
don't
have
to
worry
about
handling
the
logio.
Where
is
this
application
running?
A
I
mean
what
is
the
c
group
where
this
application
is
running,
because
each
time
the
programs
are
executed,
this
is
implicit.
They
see
where
the
application
is
running
is
already
implicit
on
the
program
in
order
to
determine
if
a
network
interfaces
are
allowed
or
not,
we
have
a
hashmap
where
we
save
the
different
network
interface
indexes.
A
The
size
of
this
program
is
rather
small.
We
have
something
like
50
lines
of
code.
This
is
in
c
code
and
yeah.
I
want
to
mention
here
that
the
the
pr
that
is
implemented-
this
is
a
little
bit
big,
but
actually
the
piece
that
is
doing
the
real
work
on
ebpf
is
is
very
small.
So
all
the
logic
that
we
have
around
is
to
load
the
programs
to
populating
the
maps
and
so
on.
Actually,
the
logic
that
is
inside
the
abpf
program
is
very,
very
small
for
this
feature.
We
require
the
kernel
version
5.7.
A
This
is
because
we
decided
to
use
ebpf
links
for
handling
the
csnd
demon,
reload
and
re
and
demo
reason.
So
it
is
because
we
got
a
file
descriptor
for
the
vpf
link.
We
don't
have
to
worry
about
unloading,
the
program,
detaching,
the
program
and
so
on.
We
can
just
pass
the
full
descriptor
for
the
link
from
one
season,
the
instance
to
the
another
one.
A
A
I
have
the
good
back
one
and
I
have
another
that
I
use
to
reach
the
internet
in
order
to
create
a
temporary,
a
cnd
unit,
I'm
going
to
use
this
and
iran
and
I'm
going
to
pass
the
resilient
network
interfaces
property
to
show
you
how
it
works.
So,
let's
start
by
creating
a
service
that
is
only
able
to
access
the
internet,
the
interface
that
is
used
to
reach
the
internet.
So
in
this
case
the
ping
is
working.
A
A
A
A
Let's
go
to
the
second
property
that
we
implemented.
This
is
again
regarding
security
and
this
time
this
is
for
restricting
the
the
types
of
devices
and
that
processes
are
able
to
access.
We
also
support
the
law
or
the
denied
list
in
this
case,
and
this
feature
provides
an
additional
security
layer,
because
we
are
able
to
restrict
the
processes
for
accessing
some
of
the
dangerous
prices
around
sony
use
case.
A
Regarding
the
implementation,
this
is
using
the
linear
security
modules
together
with
ebpf,
so
those
are
the
traditional
lsn
hooks,
but
this
sign
into
instrumented
with
ebpf.
What
that
means
is
that
we
are
able
to
use
ebpf
to
make
a
decision
on
what
to
do
once
the
hook
is
involved,
so
we
can
do
a
look
up
in
a
map
or
we
can
implement
whatever
logic
we
want
to
make
the
decision.
A
A
In
this
case,
the
lsm
ebpf
programs
are
not
c
group
aware.
So
what
it
means
for
us
is
that
we
have
to
keep
a
single
global
program
in
the
host
and
because
of
that,
we
have
to
keep
a
global
ebp
map
of
maps
where
we
store
the
different
magical
numbers
of
the
file
systems,
and
this
is
indexed
by
secret
by
d.
So,
in
this
specific
case,
the
order
map
is
accessed
by
the
c
group
id.
So
we
have
this
helper
to
get.
A
What
is
the
signal
id
where
the
application
is
running
and
the
inner
map?
We
have
a
list
of
allo
or
deny
file,
system,
magical
numbers
and
I'll
show
you
in
a
second
how
we
are
able
to
access
those
magic
numbers,
so
the
the
magic
the
the
program
is
receives
this
strut
file.
This
is
an
internal
kernel
structure.
So,
for
this
reason
we
have
to
use
vpf
car
to
rate
the
magic
number.
A
The
important
part
here
is
that
the
layout
of
this
structure
could
change
in
different
kernel
versions.
So
that's
the
reason
why
we
are
using
chord,
even
if
the
layout
change
from
a
kernel
version
to
another,
one
lbpf
will
be
able
to
calculate
the
specific
offsets
before
loading
the
program
into
the
kernel.
A
Again,
this
program
is
rather
small.
This
is
just
66
lines
of
code
and
the
kernel
requirements
are
very
similar
to
our
previous
property.
This
is
5.7,
but
this
time
we
also
need
to
have
this
a
compilation
flag,
whether
we
have
to
to
have
bpf
in
this
compilation
flag
or
otherwise.
We
have
to
bolt
the
kernel
with
this
a
parameter
we
have
to
include
vpf
in
the
list
of
linux
security
modules
that
are
used
regarding
the
status
of
this
pr.
We
already
have
one
approval.
We
are
waiting
for
all
the
reviewers,
but
yeah.
A
A
A
So,
for
instance,
let's
say
that
we
are
going
to
three
only
2x4
and
I'm
going
to
cut
the
contents
of
that
file.
So,
as
you
can
see
here,
we
got
an
operational
error
message
while
trying
to
access
that
file.
If
we
look
at
the
output
of
the
amount
common,
we
can
see
that
the
tmp
folder
is
the
type
tmpfs.
A
So
this
is
the
reason
why
this
is
not
working,
so
we
can
add
the
mpfs
here
and
you
can
see
that
everything
worked
fine,
we
were,
we
were
able
to
access
the
contents
of
the
file,
for
instance,
if
I
try
to
get
the
command
line
of
the
executor
again.
In
this
case
there
is
a
problem
because
the
proc
is
a
different
lc
file
system,
so
in
this
case
to
be
able
to
do
that,
I
should
use
the
I
should
add
rock
there.
So
in
this
case
this
is
working.
A
A
A
If
you
want
to
know
more
details
about
the
work,
what
and
we
did
there
are
some
links
on
on
the
presentation,
so
the
first
one
is
about
blood
post,
where
we
include
all
the
details
of
the
implementation.
We
have
also
some
pointers
to
the
code,
and
here
we
have
different
pointers
to
the
different
topics
that
I
cover
in
this
presentation.