This project loads eBPF programs into the Linux kernel and attaches them to LSM security hooks.
This modifies kernel behavior at runtime.
- It enforces sandbox rules monitored at kernel level
- It can block file creation and writes, process execution, network activity for sandboxed apps
- It affects all matching tasks for sandboxed apps on the system
- Requires root permissions
- Requires a kernel with BPF-LSM support
eBPF allows writing safe programs supporting dynamic in-kernel execution without recompiling or patching the kernel.
It enables security enforcement, and per-task sandboxing.
With BPF-LSM hooks, we can enforce custom security policies efficiently.
A JSON configuration file is available at /src/config.json.
It defines things like:
- Applications to be sandboxed
- Allowed write directories
- Allowed network domains
- Denied environment vars
The parser reads this file and populates BPF maps accordingly.
Required kernel options: BPF, LSM stacking.
Check using grep:
grep BPF /boot/config-$(uname -r)
grep LSM /boot/config-$(uname -r)The line "CONFIG_BPF_LSM=y" implies your kernel supports BPF LSM.
Boot parameters must contain:
lsm=lockdown,capability,landlock,yama,bpf,apparmor
(If missing, update /etc/default/grub, run sudo update-grub, and reboot.)
sudo apt-get update
sudo apt-get install -y \
build-essential clang llvm libelf-dev libbpf-dev \
bpftool libjson-c-dev pkg-config make git jq \
linux-headers-$(uname -r)git clone https://github.com/Vignesh3538/SandBoxingUserApp.git
cd SandBoxingUserApp/src
sudo su
makeRun any application given in json file normally. BPF-LSM hooks will:
- Allow or deny file creation
- Allow or deny file writes
- Allow or deny socket connections
- Allow or deny executing application when it has access to env vars needed to be secured
You can observe decisions via:
sudo cat /sys/kernel/debug/tracing/trace_pipemake clean