Linux containers currently provide limited isolation guarantees. While containers separate namespaces and partition resources, the patchwork of mechanisms used to ensure separation cannot guarantee consistent security semantics. Even worse, attempts to ensure complete coverage results in a mishmash of policies that are difficult to understand or audit. Here we present BPFContain, a new container confinement mechanism designed to integrate with existing container management systems. BPFContain combines a simple yet flexible policy language with an eBPF-based implementation that allows for deployment on virtually any Linux system running a recent kernel. In this paper, we present BPFContain's policy language, describe its current implementation as integrated into docker, and present benchmarks comparing it with current container confinement technologies.

中文翻译：

---

BPF包含：修复容器安全的软肋

Linux容器当前提供有限的隔离保证。尽管容器分隔名称空间和分区资源，但是用于确保分隔的机制的拼凑无法保证一致的安全语义。更糟糕的是，尝试确保完全覆盖将导致大量难以理解或审核的策略。在这里，我们介绍BPFContain，这是一种旨在与现有容器管理系统集成的新容器限制机制。BPFContain将简单但灵活的策略语言与基于eBPF的实现相结合，几乎可以在运行最新内核的任何Linux系统上进行部署。在本文中，我们介绍了BPFContain的策略语言，将其当前实现描述为集成到docker中，