BPFContain: Fixing the Soft Underbelly of Container Security

Abstract: Linux containers currently provide limited isolation guarantees. While containers separate namespaces and partition resources, the patchwork of mechanisms used to ensure separation cannot guarantee consistent security semantics. Even worse, attempts to ensure complete coverage results in a mishmash of policies that are difficult to understand or audit. Here we present BPFContain, a new container confinement mechanism designed to integrate with existing container management systems. BPFContain combines a simple yet flexible policy language with an eBPF-based implementation that allows for deployment on virtually any Linux system running a recent kernel. In this paper, we present BPFContain's policy language, describe its current implementation as integrated into docker, and present benchmarks comparing it with current container confinement technologies.