Google Engineer Posts Latest Patches For MAC + Audit Policy Using eBPF
Written by Michael Larabel in Linux Networking on 24 March 2020 at 12:07 AM EDT. Add A Comment
One of the interesting innovations for the eBPF in-kernel virtual machine in recent times is the work by Google on supporting MAC and audit policy handling by it. This stems from currently custom real-time security data collection and analysis of Google servers internally for real-time threat protection and this patch-set is part of their work on allowing similar functionality in the upstream Linux kernel.

First posted at the end of 2019, the kernel patches allow BPF programs to be attached to Linux security module (LSM) hooks, resulting in a unified and dynamic audit and MAC policy. Until now, the audit/perf and access enforcement have been disjointed and not jived together.

The patches are up to their fifth revision and can currently be found via the kernel mailing list. The cover letter also goes into more details on Google's use-case and their reasoning for this design.

With v5 there are various code improvements and addressing upstream feedback. However, as the Linux 5.7 kernel merge window is incredibly close at this point, it's not clear it would have time for landing in Linux 5.7 but could be punted off to 5.8 or later. In any case, this patch set is worth watching in 2020 for (e)BPF fans and network administrators.
Related News
About The Author
Author picture

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter or contacted via

Popular News This Week