Locked in eBPF: Meet Jailer, the Next-Gen Process Jailing System for Linux Security

Jailer is an eBPF-based process jailing system that provides mandatory access control (MAC) for Linux. It tracks processes using BPF task_storage maps and enforces role-based policies on file access, network operations, and process execution.

Features

Feature Status Description
Process Tracking ✅ Working Tracks processes using task_storage BPF map
Socket Enrollment ✅ Working Processes enroll via Unix socket API
Role-based Policies ✅ Working Restricted and permissive roles
File Access Control ✅ Working Block/allow file open operations
Jail Inheritance ✅ Working Child processes inherit parent’s jail
Network Control ✅ Working Block/allow socket bind/connect
Port/Protocol Filtering ✅ Working Per-port TCP/UDP allow/deny rules
Exec Control ✅ Working Block/allow process execution
Path Matching ✅ Working Dentry walking with cache invalidation
Signed Binaries 🚧 Stub Binary signature validation (not implemented)
Alternative Enrollment ✅ Working Auto-enroll by executable, cgroup, or xattr
Daemonless Mode ✅ Working Bootstrap binary pins programs at early boot
Audit Events ✅ Working Perf buffer for systemd-journald integration

Policy Flags

Flag Description
allow_file_access Allow file open operations
allow_network Allow socket bind/connect
allow_exec Allow process execution
allow_setuid Allow setuid operations
allow_ptrace Allow ptrace operations

Default Roles

Role ID Name File Access Network Exec
1 restricted Blocked Blocked Blocked
2 permissive Allowed Allowed Allowed
3 webserver Allowed Ports 80, 443, 8080 Blocked
4 database Allowed Ports 5432, 6379 Blocked
5 isolated Allowed Blocked Blocked
6 web_with_db Allowed Ports 80, 443, 5432, 3306, 6379 Blocked
7 worker Allowed Ports 443, 5432, 6379, 5672 Allowed

Architecture

Enrollment Flow

  1. Process connects to /run/bpfjailer/enrollment.sock
  2. Sends JSON: {"Enroll": {"pod_id": N, "role_id": M}}
  3. Daemon writes to pending_enrollments[PID] and role_flags[role_id]
  4. On next syscall (file_open, exec), BPF migrates enrollment to task_storage
  5. All future syscalls check task_storage + role_flags for enforcement
  6. Child processes inherit via task_alloc hook

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce