[PATCH 0/4] bpf: add a few hooks for sandboxing

[Christian Brauner]

Hey,

I'm in the process of adding "universal truths" bpf lsm programs to
systemd that implement and enforce core system assumptions.

One aspect of this will be advanced namespace management so we can have
things like systemd-nsresourced tightly manage namespaces it allocates
and implement advanced access policies for them. We already do parts of
that but it's rather limited and relies on some workarounds as well
because we don't have the infrastructure for it. We also currently need
to rely on ugly workarounds such as attaching to very arcane tracing
hooks to be notified when namespaces go away.

The second aspect is managing cgroup attaches. This is a core feature
that has been demanded for a long time in systemd. We want to be able to
ensure that some services cannot ever escape their cgroups.

The new hooks are available to bpf lsm programs. Selftests included.

Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
---
Christian Brauner (4):
      ns: add bpf hooks
      cgroup: add bpf hook for attach
      selftests/bpf: add ns hook selftest
      selftests/bpf: add cgroup attach selftests

 include/linux/bpf_lsm.h                            |  36 ++
 kernel/bpf/bpf_lsm.c                               |  37 +++
 kernel/cgroup/cgroup.c                             |  18 +-
 kernel/nscommon.c                                  |   9 +-
 kernel/nsproxy.c                                   |   7 +
 .../selftests/bpf/prog_tests/cgroup_attach.c       | 362 +++++++++++++++++++++
 .../testing/selftests/bpf/prog_tests/ns_sandbox.c  |  99 ++++++
 .../selftests/bpf/progs/test_cgroup_attach.c       |  85 +++++
 .../testing/selftests/bpf/progs/test_ns_sandbox.c  |  91 ++++++
 9 files changed, 736 insertions(+), 8 deletions(-)
---
base-commit: 01582681b1e6881b49d848f1a6e200eace6aac0c
change-id: 20260219-work-bpf-namespace-b5699fad250e