What do we call an explosive mix of LSM, cgroup, BPF, seccomp ?

Session information has not yet been published for this event.

60 Minute BoF session
Scheduled: Thursday, November 3, 2016 from 6:00 – 7:00pm in Sweeney AB

One Line Summary

checmate or landlock


Two BPF based LSM have been proposed to solve a variety of the use cases in security, monitoring and container networking:
- landlock by Mickael https://lkml.org/lkml/2016/8/25/286
- checmate by Sargun https://lkml.org/lkml/2016/8/4/58

landlock is following seccomp approach by attaching to task hierarchy.
checmate is working with cgroups.
The goal of this BoF is to understand the use cases and talk about the path forward.

Anyone working on seccomp, cgroup, bpf, lsm is invited to join :)


  • Kees Cook



    Kees Cook has been working with Free Software since 1994, and has been a Debian Developer since 2007. He is currently employed by Google to work on Nexus, Brillo, and Chrome OS Security. From 2006 through 2011 he worked for Canonical as the Ubuntu Security Team’s Tech Lead, and remains on the Ubuntu Technical Board. Before that, he worked as the lead sysadmin at OSDL, before it was the Linux Foundation. He has written various utilities including GOPchop and Sendpage, and contributes randomly to other projects including fun chunks of code in OpenSSH, Inkscape, Wine, MPlayer, and Wireshark. He’s been spending most of his time lately focused on security features in the Linux Kernel.

  • Biography

    I’ve been working on various aspects of Linux kernel since 2005 and
    love jumping around across different subsystems, which now includes
    libata, block layer, percpu memory allocator, workqueue, x86 and job
    control. I hope to continue working on various kernel subsystems as
    long as I can.

  • Biography

    software engineer at facebook