bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3

Innovation Projects (June, 2023) OpenAtom openEuler Community CONTENTS 1 Introduction 001 Development Roadmap 002 2 Technology Ecosystem 003 Innovative Platform for Versatile Scenarios 004 KunpengSecL 068 secCrypto 070 secGear 072 secPaver 073 sysMaster 076 Simplified O&M and Development 078 A-Ops 078 CPDS 081 CPM4OSSP 083 CTinspector 084 eggo 085 nvwa 087 PilotGo 088 ecosystem empowers enterprises to develop their software, hardware, and application ecosystems. Development Roadmap 2021.12 1+ million openEuler-based installations 2022.09 Debuted at Open Source Summit

improve the performance experience of diversified computing power as well as advance the ecosystem development. openEuler tries to match each type of workload with the most appropriate computing power unit and Transparent Management of the Open Source Software Supply Chain The process of building an open source OS is also a process of supply chain aggregation and optimization. A reliable open source software kernel upgrade File systems Chips and peripheral drivers Linux Kernel 5.10 Computing architecture Process mgmt Driver framework etMem Async I/O communication framework Virtualization enhancement Scheduling

enable a single application development for all scenarios. Continuous Contribution to the Linux Kernel As a major contributor to the Linux kernel, the kernel development team is responsible for enhancing contributing to upstream communities. Open and Transparent: The Open Source Software Supply Chain The process of building an open source OS relies on supply chain aggregation and optimization. To ensure reliable The user-mode swap delivers a higher performance than the kernel- mode swap and the whole swap process is transparent to users. Cloud base: • KubeOS for containers: In cloud native scenarios, the OS

Versions ........................ 7 1.3.3. Ubuntu Derivatives .................... 8 1.3.4. Ubuntu Development and the Community ......................................... 8 1.4. Ubuntu and Microsoft Windows: should be placed on silent mode during class. • Feedback is vital to the improvement of our course development and delivery. All students must complete the course evaluation form at the end of the last day collaborative development of software. Users continuously enhance the software, fix bugs, develop new features and share it with others. As a result of collaborative software development which involves

Developer / Contributor Guide Setting up the development environment Development process End-To-End Testing Framework How to contribute Pull request review process Building Container Images Documentation Developer’s Release Cadence Stable releases LTS Generic Release Process GitHub template process Reference steps for the template Minor Release Process Backporting process CI / Jenkins Jobs Overview Triggering Pull-Request updated without any changes to the application code or container configuration. Why Cilium? The development of modern datacenter applications has shifted to a service-oriented architecture often referred

later), showing that the Debian development model (based on the work of a large group of voluntary developers spread around the world) is at least as capable as other development methods (like the more centralized linux_distribution.html> . 2 tracking system, support and development mail lists, etc.), several translation and internationalization efforts, development of tools specific to Debian, and in a wide sense, of unique for many reasons. Its dedication to free software, its non-profit nature, and its open development model (where most of the discussions are addressed openly in public lists) are remarkable. The

Developer / Contributor Guide Se�ng up the development environment Development process End-To-End Tes�ng Framework How to contribute Pull request review process Building Container Images Documenta�on CI updated without any changes to the applica�on code or container configura�on. Why Cilium? The development of modern datacenter applica�ons has shi�ed to a service- oriented architecture o�en referred to dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label defini�ons. Metrics export via Prometheus:

developers. API Reference : Details the Cilium agent API for interacting with a local Cilium instance. Development Guide : Gives background to those looking to develop and contribute modifications to the Cilium a SIG For Developers Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties duties Developer’s Certificate of Origin Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version

Environment Submitting a pull request Getting a pull request merged Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Debugging Release tracking Release Cadence Backporting process Backport Criteria Backporting guide Generic Release Process Release Candidate Process Feature Release Process On Freeze date For the final release Testing Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing