|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-12-27 17:29:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] KRSI — the other BPF security module
One of the first uses of the BPF virtual
machine outside of networking was to implement access-control policies
for the seccomp()
system call. Since then, though, the role of BPF in the security area has
not changed much in the mainline kernel, even though BPF has evolved
considerably from the "classic" variant still used with seccomp()
to the "extended" BPF now supported by the kernel. That has not been for a
lack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime security
instrumentation (KRSI) patch set in September. KP Singh has posted a new
KRSI series, so the time seems right for a closer look.
One of the first uses of the BPF virtual
machine outside of networking was to implement access-control policies
for the seccomp()
system call. Since then, though, the role of BPF in the security area has
not changed much in the mainline kernel, even though BPF has evolved
considerably from the "classic" variant still used with seccomp()
to the "extended" BPF now supported by the kernel. That has not been for a
lack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime security
instrumentation (KRSI) patch set in September. KP Singh has posted a new
KRSI series, so the time seems right for a closer look.
