Locked in eBPF: Meet Jailer, the Next-Gen Process Jailing System for Linux Security
Jailer is an eBPF-based process jailing system that provides mandatory access control (MAC) for Linux. It tracks processes using BPF task_storage maps and enforces role-based policies on file access, network operations, and process execution.
Features
| Feature | Status | Description |
|---|---|---|
| Process Tracking | ✅ Working | Tracks processes using task_storage BPF map |
| Socket Enrollment | ✅ Working | Processes enroll via Unix socket API |
| Role-based Policies | ✅ Working | Restricted and permissive roles |
| File Access Control | ✅ Working | Block/allow file open operations |
| Jail Inheritance | ✅ Working | Child processes inherit parent’s jail |
| Network Control | ✅ Working | Block/allow socket bind/connect |
| Port/Protocol Filtering | ✅ Working | Per-port TCP/UDP allow/deny rules |
| Exec Control | ✅ Working | Block/allow process execution |
| Path Matching | ✅ Working | Dentry walking with cache invalidation |
| Signed Binaries | 🚧 Stub | Binary signature validation (not implemented) |
| Alternative Enrollment | ✅ Working | Auto-enroll by executable, cgroup, or xattr |
| Daemonless Mode | ✅ Working | Bootstrap binary pins programs at early boot |
| Audit Events | ✅ Working | Perf buffer for systemd-journald integration |
Policy Flags
| Flag | Description |
|---|---|
allow_file_access |
Allow file open operations |
allow_network |
Allow socket bind/connect |
allow_exec |
Allow process execution |
allow_setuid |
Allow setuid operations |
allow_ptrace |
Allow ptrace operations |
Default Roles
| Role ID | Name | File Access | Network | Exec |
|---|---|---|---|---|
| 1 | restricted | Blocked | Blocked | Blocked |
| 2 | permissive | Allowed | Allowed | Allowed |
| 3 | webserver | Allowed | Ports 80, 443, 8080 | Blocked |
| 4 | database | Allowed | Ports 5432, 6379 | Blocked |
| 5 | isolated | Allowed | Blocked | Blocked |
| 6 | web_with_db | Allowed | Ports 80, 443, 5432, 3306, 6379 | Blocked |
| 7 | worker | Allowed | Ports 443, 5432, 6379, 5672 | Allowed |
Architecture
Enrollment Flow
- Process connects to
/run/bpfjailer/enrollment.sock - Sends JSON:
{"Enroll": {"pod_id": N, "role_id": M}} - Daemon writes to
pending_enrollments[PID]androle_flags[role_id] - On next syscall (file_open, exec), BPF migrates enrollment to
task_storage - All future syscalls check
task_storage+role_flagsfor enforcement - Child processes inherit via
task_allochook
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
