From e75df41ae1335ec901bc441a8bacf75bcfdd5765 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:22:35 -0500 Subject: [PATCH 1/9] refactor --- daemonset.yaml => configs/daemonset/daemonset.yaml | 0 .../machine-config/machineconfig-enable-bpf-lsm.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename daemonset.yaml => configs/daemonset/daemonset.yaml (100%) rename machineconfig-enable-bpf-lsm.yaml => configs/machine-config/machineconfig-enable-bpf-lsm.yaml (100%) diff --git a/daemonset.yaml b/configs/daemonset/daemonset.yaml similarity index 100% rename from daemonset.yaml rename to configs/daemonset/daemonset.yaml diff --git a/machineconfig-enable-bpf-lsm.yaml b/configs/machine-config/machineconfig-enable-bpf-lsm.yaml similarity index 100% rename from machineconfig-enable-bpf-lsm.yaml rename to configs/machine-config/machineconfig-enable-bpf-lsm.yaml From 83f17916fe687288af3e07aea6eedf8a0f968984 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:23:17 -0500 Subject: [PATCH 2/9] add: gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8d73b69 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +block-copyfail \ No newline at end of file From 43075eba9ecb30de30c938c41b21a30bfcf9b831 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:23:42 -0500 Subject: [PATCH 3/9] update: container build --- Dockerfile | 2 +- Makefile | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 24e9b9a..4ccceeb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ RUN dnf install -y \ WORKDIR /build COPY block_copyfail.bpf.c block_copyfail.h block_copyfail.c Makefile ./ -RUN make +RUN make block-copyfail FROM registry.access.redhat.com/ubi9/ubi-minimal:latest diff --git a/Makefile b/Makefile index 88fe6fc..6d8042e 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ LDFLAGS := $(shell pkg-config --libs libbpf 2>/dev/null || echo "-lbpf -lelf -lz .PHONY: all clean -all: block-copyfail +all: podman-build block_copyfail.bpf.o: block_copyfail.bpf.c block_copyfail.h $(CLANG) $(BPF_CFLAGS) -c $< -o $@ @@ -24,5 +24,12 @@ block_copyfail.skel.h: block_copyfail.bpf.o block-copyfail: block_copyfail.c block_copyfail.h block_copyfail.skel.h $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS) +podman-build: + podman build -t block-copyfail-builder . + podman create --name bcf-tmp --replace block-copyfail-builder + podman cp bcf-tmp:/usr/local/bin/block-copyfail . + podman rm bcf-tmp + @echo "Copied to ./block-copyfail" + clean: rm -f block_copyfail.bpf.o block_copyfail.skel.h block-copyfail From ce99ebea1ed71f691e3878d073e3febf31332329 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:24:17 -0500 Subject: [PATCH 4/9] refactor: configs --- README.md | 44 ++++++------- configs/daemonset/bc-block-copyfail.yaml | 38 ++++++++++++ configs/daemonset/ds-block-copyfail.yaml | 62 +++++++++++++++++++ configs/daemonset/namespace.yaml | 12 ++++ configs/daemonset/rbac.yaml | 14 +++++ .../machineconfig-enable-bpf-lsm.yaml | 10 +++ test/01-namespace.yaml | 1 + 7 files changed, 157 insertions(+), 24 deletions(-) create mode 100644 configs/daemonset/bc-block-copyfail.yaml create mode 100644 configs/daemonset/ds-block-copyfail.yaml create mode 100644 configs/daemonset/namespace.yaml create mode 100644 configs/daemonset/rbac.yaml diff --git a/README.md b/README.md index 97f55a6..f999578 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ oc debug node/ -- chroot /host cat /sys/kernel/security/lsm # Must contain "bpf" # 2. Deploy the namespace and grant privileged SCC -oc apply -f daemonset.yaml +oc apply -f configs/daemonset # 3. DaemonSet pods will start automatically on all nodes @@ -32,6 +32,12 @@ oc logs -n block-copyfail -l app=block-copyfail No reboots. No node drains. No pod restarts. Protection is immediate and covers all processes on all nodes (100% coverage). +### MachineSet Quick Start (requires reboot) + +```bash +oc apply -f configs/machine-config +``` + ## Table of Contents 1. [How the Exploit Works](#how-the-exploit-works) @@ -78,7 +84,7 @@ oc -n cve-2026-31431-test logs -l app=cve-2026-31431-test **On a vulnerable cluster** you will see: -``` +```output === CVE-2026-31431 Vulnerability Test === Target: /usr/bin/su @@ -122,33 +128,23 @@ oc debug node/ -- chroot /host cat /sys/kernel/security/lsm Expected output includes `bpf`: -``` +```output lockdown,capability,landlock,yama,selinux,bpf ``` If `bpf` is **not** present, a one-time MachineConfig is needed (this is the only scenario requiring a reboot): -```yaml -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - labels: - machineconfiguration.openshift.io/role: worker - name: 99-enable-bpf-lsm -spec: - kernelArguments: - - lsm=lockdown,capability,selinux,bpf -``` +[Machine Config](configs/machine-config/machineconfig-enable-bpf-lsm.yaml) ### Step 1: Create the namespace, grant the SCC, and deploy -Create a new `block-copyfail` namespace, grant SCC, and deploy the DaemonSet by applying [the `daemonset.yaml` manifest](daemonset.yaml). +Create a new `block-copyfail` namespace, grant SCC, and deploy the DaemonSet by applying [the `daemonset.yaml` manifest](configs/daemonset/ds-block-copyfail.yaml). The privileged SCC must be granted before the DaemonSet pods are created, otherwise pod creation will fail with SCC validation errors. ```bash -oc apply -f daemonset.yaml +oc apply -f configs/daemonset ``` ### Step 2: Wait for pods to start on all nodes @@ -159,7 +155,7 @@ oc get pods -n block-copyfail -o wide Expected: one pod per node, all `Running`: -``` +```output NAME READY STATUS AGE NODE block-copyfail-2jhzf 1/1 Running 34s ci-...-master-2 block-copyfail-4dfq7 1/1 Running 34s ci-...-master-1 @@ -177,7 +173,7 @@ oc logs -n block-copyfail -l app=block-copyfail Expected: -``` +```output block-copyfail: blocker active — all AF_ALG AEAD binds blocked ``` @@ -189,7 +185,7 @@ Re-run the same exploit test from the [Confirming Vulnerability](#confirming-vul **After deploying the BPF LSM DaemonSet**, the output will be: -``` +```output === CVE-2026-31431 Vulnerability Test === Target: /usr/bin/su @@ -206,7 +202,7 @@ The DaemonSet logs will show the blocked attempt: oc logs -n block-copyfail -l app=block-copyfail ``` -``` +```output block-copyfail: blocker active — all AF_ALG AEAD binds blocked block-copyfail: BLOCKED pid=16777 comm=python3 time=2026-05-01 16:37:23 ``` @@ -241,7 +237,7 @@ for t, n in tests: Expected output: -``` +```output BLOCKED aead/gcm(aes) -- [Errno 1] Operation not permitted BLOCKED aead/ccm(aes) -- [Errno 1] Operation not permitted BLOCKED aead/rfc4106(gcm(aes)) -- [Errno 1] Operation not permitted @@ -258,9 +254,9 @@ This confirms the BPF LSM blocks all AEAD binds while leaving other AF_ALG types The BPF LSM blocker source is in `block-copyfail/`: -``` +```output block-copyfail/ - block_copyfail.bpf.c # BPF kernel program (LSM hook) + block_copyfail.bpf.c # BPF kernel program (LSM hook) block_copyfail.c # Userspace loader (libbpf skeleton) block_copyfail.h # Shared event struct Makefile # Build pipeline @@ -287,7 +283,7 @@ for compilation, UBI 9 minimal for the runtime image (~122 MB). Deleting the DaemonSet immediately removes the mitigation on all nodes: ```bash -oc delete -f daemonset.yaml +oc delete -f configs/daemonset # or oc delete namespace block-copyfail ``` diff --git a/configs/daemonset/bc-block-copyfail.yaml b/configs/daemonset/bc-block-copyfail.yaml new file mode 100644 index 0000000..44b39e8 --- /dev/null +++ b/configs/daemonset/bc-block-copyfail.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: block-copyfail + namespace: block-copyfail +spec: + tags: + - name: latest +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + app: block-copyfail + app.kubernetes.io/component: block-copyfail + app.kubernetes.io/instance: block-copyfail + app.kubernetes.io/name: block-copyfail + app.kubernetes.io/part-of: block-copyfail-app + name: block-copyfail +spec: + output: + to: + kind: ImageStreamTag + name: block-copyfail:latest + runPolicy: SerialLatestOnly + source: + contextDir: / + git: + uri: https://github.com/openshift/block-copyfail + ref: main + type: Git + strategy: + dockerStrategy: + dockerfilePath: Dockerfile + type: Docker + triggers: + - type: ConfigChange diff --git a/configs/daemonset/ds-block-copyfail.yaml b/configs/daemonset/ds-block-copyfail.yaml new file mode 100644 index 0000000..84939bf --- /dev/null +++ b/configs/daemonset/ds-block-copyfail.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"block-copyfail:latest","namespace":"block-copyfail"},"fieldPath":"spec.template.spec.containers[?(@.name==\"blocker\")].image","paused":false}]' + name: block-copyfail + namespace: block-copyfail + labels: + app: block-copyfail +spec: + selector: + matchLabels: + app: block-copyfail + template: + metadata: + labels: + app: block-copyfail + spec: + priorityClassName: system-node-critical + tolerations: + - operator: Exists + containers: + - name: blocker + image: block-copyfail:latest + # image: quay.io/openshift/block-copyfail:latest + command: + - /bin/sh + - -c + - | + /usr/local/bin/block-copyfail + sleep infinity + securityContext: + privileged: true + capabilities: + add: + - BPF + drop: + - ALL + volumeMounts: + - name: bpf + mountPath: /sys/fs/bpf + - name: btf + mountPath: /sys/kernel/btf/vmlinux + readOnly: true + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 64Mi + volumes: + - name: bpf + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + - name: btf + hostPath: + path: /sys/kernel/btf/vmlinux + type: File + terminationGracePeriodSeconds: 5 diff --git a/configs/daemonset/namespace.yaml b/configs/daemonset/namespace.yaml new file mode 100644 index 0000000..abebf33 --- /dev/null +++ b/configs/daemonset/namespace.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + kubernetes.io/description: Block / Detect CopyFail attempts on Openshift + openshift.io/display-name: Block CopyFail + name: block-copyfail + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/configs/daemonset/rbac.yaml b/configs/daemonset/rbac.yaml new file mode 100644 index 0000000..1b26499 --- /dev/null +++ b/configs/daemonset/rbac.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: block-copyfail +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: default + namespace: block-copyfail diff --git a/configs/machine-config/machineconfig-enable-bpf-lsm.yaml b/configs/machine-config/machineconfig-enable-bpf-lsm.yaml index d3c266e..b0c0141 100644 --- a/configs/machine-config/machineconfig-enable-bpf-lsm.yaml +++ b/configs/machine-config/machineconfig-enable-bpf-lsm.yaml @@ -1,6 +1,16 @@ --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig +metadata: + labels: + machineconfiguration.openshift.io/role: master + name: 99-enable-bpf-lsm +spec: + kernelArguments: + - lsm=lockdown,capability,selinux,bpf +--- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: worker diff --git a/test/01-namespace.yaml b/test/01-namespace.yaml index 08596fd..3a67491 100644 --- a/test/01-namespace.yaml +++ b/test/01-namespace.yaml @@ -4,3 +4,4 @@ metadata: name: cve-2026-31431-test annotations: kubernetes.io/description: Testing CVE-2026-31431. + openshift.io/display-name: CVE-2026-31431 Test From 38fe44a5531cd556199c3610528204f36c4b3301 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:31:43 -0500 Subject: [PATCH 5/9] cleanup --- .../{namespace.yaml => 01-namespace.yaml} | 0 configs/daemonset/{rbac.yaml => 02-rbac.yaml} | 0 configs/daemonset/bc-block-copyfail.yaml | 2 +- configs/daemonset/daemonset.yaml | 71 ------------------- 4 files changed, 1 insertion(+), 72 deletions(-) rename configs/daemonset/{namespace.yaml => 01-namespace.yaml} (100%) rename configs/daemonset/{rbac.yaml => 02-rbac.yaml} (100%) delete mode 100644 configs/daemonset/daemonset.yaml diff --git a/configs/daemonset/namespace.yaml b/configs/daemonset/01-namespace.yaml similarity index 100% rename from configs/daemonset/namespace.yaml rename to configs/daemonset/01-namespace.yaml diff --git a/configs/daemonset/rbac.yaml b/configs/daemonset/02-rbac.yaml similarity index 100% rename from configs/daemonset/rbac.yaml rename to configs/daemonset/02-rbac.yaml diff --git a/configs/daemonset/bc-block-copyfail.yaml b/configs/daemonset/bc-block-copyfail.yaml index 44b39e8..8cf99d1 100644 --- a/configs/daemonset/bc-block-copyfail.yaml +++ b/configs/daemonset/bc-block-copyfail.yaml @@ -16,7 +16,7 @@ metadata: app.kubernetes.io/component: block-copyfail app.kubernetes.io/instance: block-copyfail app.kubernetes.io/name: block-copyfail - app.kubernetes.io/part-of: block-copyfail-app + app.kubernetes.io/part-of: block-copyfail name: block-copyfail spec: output: diff --git a/configs/daemonset/daemonset.yaml b/configs/daemonset/daemonset.yaml deleted file mode 100644 index 9964a57..0000000 --- a/configs/daemonset/daemonset.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: block-copyfail - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/warn: privileged ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: system:openshift:scc:privileged - namespace: block-copyfail -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:privileged -subjects: -- kind: ServiceAccount - name: default - namespace: block-copyfail ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: block-copyfail - namespace: block-copyfail - labels: - app: block-copyfail -spec: - selector: - matchLabels: - app: block-copyfail - template: - metadata: - labels: - app: block-copyfail - spec: - priorityClassName: system-node-critical - tolerations: - - operator: Exists - containers: - - name: blocker - image: quay.io/openshift/block-copyfail@sha256:bbf0b19bfb63d79bab6adc47cae70f15c62f83a4a6bcc6f41509656cf0dae52f - securityContext: - privileged: true - volumeMounts: - - name: bpf - mountPath: /sys/fs/bpf - - name: btf - mountPath: /sys/kernel/btf/vmlinux - readOnly: true - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - cpu: 100m - memory: 64Mi - volumes: - - name: bpf - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - - name: btf - hostPath: - path: /sys/kernel/btf/vmlinux - type: File - terminationGracePeriodSeconds: 5 From bfd42ca7072e2619ad360525b8e274d13a47beaf Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:53:06 -0500 Subject: [PATCH 6/9] update: docs --- README.md | 2 ++ configs/daemonset/ds-block-copyfail.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/README.md b/README.md index f999578..09b9eb5 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,8 @@ prevents bypasses via crypto template nesting (e.g. `pcrypt(authencesn(...))`). Other AF_ALG usage (hash, skcipher) is unaffected. Tested end-to-end on three separate OCP 4.22 clusters. +- https://access.redhat.com/solutions/7141979 + ## Quick Start ```bash diff --git a/configs/daemonset/ds-block-copyfail.yaml b/configs/daemonset/ds-block-copyfail.yaml index 84939bf..47a2f30 100644 --- a/configs/daemonset/ds-block-copyfail.yaml +++ b/configs/daemonset/ds-block-copyfail.yaml @@ -23,6 +23,7 @@ spec: containers: - name: blocker image: block-copyfail:latest + # replace the image above if you want to use the container image from public repos # image: quay.io/openshift/block-copyfail:latest command: - /bin/sh From d228be6db606fc37f87c29e6b98b94bf254e847c Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 17:55:49 -0500 Subject: [PATCH 7/9] fix: lint --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4ccceeb..390a0ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ -FROM registry.fedoraproject.org/fedora:latest AS builder +FROM registry.fedoraproject.org/fedora:43 AS builder +# hadolint ignore=DL3041 RUN dnf install -y \ clang llvm bpftool \ libbpf-devel elfutils-libelf-devel zlib-devel \ @@ -10,8 +11,10 @@ WORKDIR /build COPY block_copyfail.bpf.c block_copyfail.h block_copyfail.c Makefile ./ RUN make block-copyfail +# hadolint ignore=DL3007 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +# hadolint ignore=DL3041 RUN microdnf install -y libbpf elfutils-libelf zlib && microdnf clean all COPY --from=builder /build/block-copyfail /usr/local/bin/block-copyfail From 1d2a558f291e98cc144fa3b0f1eafa583f4afbe6 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 18:01:04 -0500 Subject: [PATCH 8/9] update: docs --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 09b9eb5..5d42a61 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,6 @@ prevents bypasses via crypto template nesting (e.g. `pcrypt(authencesn(...))`). Other AF_ALG usage (hash, skcipher) is unaffected. Tested end-to-end on three separate OCP 4.22 clusters. -- https://access.redhat.com/solutions/7141979 - ## Quick Start ```bash @@ -40,6 +38,10 @@ covers all processes on all nodes (100% coverage). oc apply -f configs/machine-config ``` +See https://access.redhat.com/solutions/7141979 + +This solution will cause all nodes to reboot due to machine config pool changes (adding kernel arguments) + ## Table of Contents 1. [How the Exploit Works](#how-the-exploit-works) From 5bda4145134e73105fabcf1507aa8507d17b9570 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Mon, 4 May 2026 18:11:34 -0500 Subject: [PATCH 9/9] update: docs / examples --- README.md | 4 ++-- .../machineconfig-disable-algif.yaml | 24 +++++++++++++++++++ .../machineconfig-enable-bpf-lsm.yaml | 4 ++-- 3 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 configs/machine-config-kb/machineconfig-disable-algif.yaml diff --git a/README.md b/README.md index 5d42a61..cfc8132 100644 --- a/README.md +++ b/README.md @@ -38,9 +38,9 @@ covers all processes on all nodes (100% coverage). oc apply -f configs/machine-config ``` -See https://access.redhat.com/solutions/7141979 +See also - https://access.redhat.com/solutions/7141979, [[YAML](configs/machine-config-kb/machineconfig-disable-algif.yaml)] -This solution will cause all nodes to reboot due to machine config pool changes (adding kernel arguments) +Machine config solution(s) will cause all nodes to reboot due to machine config pool changes (adding kernel arguments) ## Table of Contents diff --git a/configs/machine-config-kb/machineconfig-disable-algif.yaml b/configs/machine-config-kb/machineconfig-disable-algif.yaml new file mode 100644 index 0000000..d3b9e1b --- /dev/null +++ b/configs/machine-config-kb/machineconfig-disable-algif.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + solution: https://access.redhat.com/solutions/7141979 + labels: + machineconfiguration.openshift.io/role: master + name: 99-disable-algif-builtin-master +spec: + kernelArguments: + - initcall_blacklist=algif_aead_init +--- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + solution: https://access.redhat.com/solutions/7141979 + labels: + machineconfiguration.openshift.io/role: worker + name: 99-disable-algif-builtin-worker +spec: + kernelArguments: + - initcall_blacklist=algif_aead_init diff --git a/configs/machine-config/machineconfig-enable-bpf-lsm.yaml b/configs/machine-config/machineconfig-enable-bpf-lsm.yaml index b0c0141..13a06d8 100644 --- a/configs/machine-config/machineconfig-enable-bpf-lsm.yaml +++ b/configs/machine-config/machineconfig-enable-bpf-lsm.yaml @@ -4,7 +4,7 @@ kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: master - name: 99-enable-bpf-lsm + name: 99-enable-bpf-lsm-master spec: kernelArguments: - lsm=lockdown,capability,selinux,bpf @@ -14,7 +14,7 @@ kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: worker - name: 99-enable-bpf-lsm + name: 99-enable-bpf-lsm-worker spec: kernelArguments: - lsm=lockdown,capability,selinux,bpf