Any useful comments and reviews out there? From mere users to notable security experts, of course.

Google loves to do PR to their efforts, but I wonder what's the reality behind all this KRSI stuff.

Can eBPF be useful outside networking stuff too?

eBPF is already widely used outside of networking including tracing for example

eBPF, while the name derives from extended Berkeley Packet Filter, has expanded the classic network BPF to be a generalized kernel virtual machine running a custom instruction set. The work to implement eBPF was seen as providing a way to extend the kernel dynamically in other ways than just networking. Being able to attach eBPF programs to kernel events allows one to implement more complex policies, and to monitor certain actions. For tracing, one might think of eBPF as sort of a DTrace 2.0.

So google snooping on my internal data like they do my external data?

I'm looking forward to Zircon.

I'm a little bit tired of the Linux kernel. A new adventure every release - not just one but many! Including "stable" releases which sometimes have regressions.

No, Google wanting to open-source a version of what they already use internally which Linux and co. will accept. It's basically analogous to AMD upstreaming the kernel side of their video drivers, but for code which handles enforcing security rules.

TL;DR: Think of if the Linux kernel allowed you to write a "script" which runs inside a sandbox in the kernel (what eBPF allows) which could set or release SELinux-like restrictions based on events coming out of the audit and perf systems. That's what this is. It basically makes it much easier to write in-kernel Intrusion Detection Systems capable of taking action rather than just reporting.

a little hard to do that with opensource, but feel free to migrate to FreeBSD.

Tell it to the openssl guys.

KRSI sounds like a brilliant idea. It makes sense to use a standard virtual machine for different areas of the kernel that need it, rather than a lot of disparate VMs. ebpf is already being used as a replacement for iptables and for sandboxing with seccomp, so using it for perf, auditing and LSMs is a next logical step. ebpf has become generalized and useable well beyond packets. This reduces needless duplication in the kernel of VM functionality. writing security modules in ebpf makes sense and also stacking them as well, this is far more flexible than the often fixed, rigid models of AppArmor, since an ebpf filter can have arbitrary complexity allowing it to for more powerful security rules to be created if needed with more precise rules.

This will make Linux's security features far above and beyond what it was before and allows Linux to be far more secure.


Also, its open source, so no data snooping by google. Root can load Linux Kernel Modules anyway, and run with no limitations. This runs code in a virtual machine instead which is JIT compiled, feasibly it can be made more secure than a kernel module.