Google Engineer Posts Latest Patches For MAC + Audit Policy Using eBPF

One of the interesting innovations for the eBPF in-kernel virtual machine in recent times is the work by Google on supporting MAC and audit policy handling by it. This stems from currently custom real-time security data collection and analysis of Google servers internally for real-time threat protection and this patch-set is part of their work on allowing similar functionality in the upstream Linux kernel.

First posted at the end of 2019, the kernel patches allow BPF programs to be attached to Linux security module (LSM) hooks, resulting in a unified and dynamic audit and MAC policy. Until now, the audit/perf and access enforcement have been disjointed and not jived together.

The patches are up to their fifth revision and can currently be found via the kernel mailing list. The cover letter also goes into more details on Google's use-case and their reasoning for this design.

With v5 there are various code improvements and addressing upstream feedback. However, as the Linux 5.7 kernel merge window is incredibly close at this point, it's not clear it would have time for landing in Linux 5.7 but could be punted off to 5.8 or later. In any case, this patch set is worth watching in 2020 for (e)BPF fans and network administrators.