You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Virtual patching = a temporary, network-level rule that blocks a known
exploit before it reaches vulnerable software, buying time until the real
vendor patch ships (zero downtime, no app change). The classic form is a
WAF/IPS signature; the cheap-and-reliable form is an L3/L4 block rule.
Containarium already ships the enforcement substrate from the eBPF
network-isolation work (#315): per-container-veth TC clsact hooks that can TC_ACT_SHOT, a per-tenant LPM-trie allow-list, a reconcile loop that pushes
rules into BPF maps with zero downtime, and audit perf events on every deny.
What's missing is a deny primitive and the inspection depth for signatures.
This epic tracks turning that substrate into a virtual-patching capability,
in three tiers of increasing depth and cost.
Tiers
Tier 1 — L3/L4 virtual patch (deny rules). Add a per-tenant deny
LPM-trie (CIDR + optional port/proto) evaluated before the allow logic,
returning TC_ACT_SHOT. Covers the large class of "a network-reachable
service / upstream is vulnerable — block it now." Pure eBPF, reuses the
whole substrate. Ships first. → Tier 1: L3/L4 virtual patch — per-tenant eBPF deny rules #660.
Tier 2 — bounded cleartext signature match (kernel). Extend the BPF
program with bpf_skb_load_bytes over the first ~256 payload bytes and a
small bpf_loop scan for a curated set of cleartext signatures (Log4Shell ${jndi:, Shellshock () {). Caveats spelled out: single-packet only
(segment-split evasion), cleartext only (no TLS), verifier-bounded pattern
count/length. → Tier 2: bounded cleartext signature matching in eBPF (best-effort IPS) #661.
Tier 3 — userspace WAF behind eBPF steering. eBPF redirects flagged
flows into a host-side WAF (Coraza / ModSec CRS) that does reassembly, TLS
termination, and vendor signature sets. The only WAF-grade path; eBPF's role
shrinks to a fast classifier/redirector. → Tier 3: userspace WAF behind eBPF flow steering (WAF-grade virtual patching) #662.
Product hook
Wire to the existing security scanner: a CVE finding emits a virtual-patch
deny rule → reconcile pushes it → reconcile auto-expires it when the scanner
confirms the upstream patch landed. "Band-Aid until the real patch ships, then
auto-removed," end to end.
Honest constraints (why tiers, not one feature)
Pure-kernel eBPF sees one packet at a time (no reassembly) and can't read
TLS payloads — so signature matching past Tier 1 is genuinely limited.
All tiers inherit the existing two opt-ins: feature off unless CONTAINARIUM_NETWORK_POLICY_BPF_OBJECT is set, and drops disarmed unless CONTAINARIUM_NETWORK_POLICY_ENFORCE=1. A misbroad deny rule must not
blackhole a container by default.
Design doc: docs/security/VIRTUAL-PATCHING-DESIGN.md (added with Tier 1).
Prior art in-tree: docs/security/NETWORK-ISOLATION-DESIGN.md, experimental/ebpf-phaseA/netpolicy.bpf.c, internal/netbpf/, internal/server/network_policy_enforcer.go.
Epic: eBPF virtual patching
Virtual patching = a temporary, network-level rule that blocks a known
exploit before it reaches vulnerable software, buying time until the real
vendor patch ships (zero downtime, no app change). The classic form is a
WAF/IPS signature; the cheap-and-reliable form is an L3/L4 block rule.
Containarium already ships the enforcement substrate from the eBPF
network-isolation work (#315): per-container-veth TC clsact hooks that can
TC_ACT_SHOT, a per-tenant LPM-trie allow-list, a reconcile loop that pushesrules into BPF maps with zero downtime, and audit perf events on every deny.
What's missing is a deny primitive and the inspection depth for signatures.
This epic tracks turning that substrate into a virtual-patching capability,
in three tiers of increasing depth and cost.
Tiers
Tier 1 — L3/L4 virtual patch (deny rules). Add a per-tenant deny
LPM-trie (CIDR + optional port/proto) evaluated before the allow logic,
returning
TC_ACT_SHOT. Covers the large class of "a network-reachableservice / upstream is vulnerable — block it now." Pure eBPF, reuses the
whole substrate. Ships first. → Tier 1: L3/L4 virtual patch — per-tenant eBPF deny rules #660.
Tier 2 — bounded cleartext signature match (kernel). Extend the BPF
program with
bpf_skb_load_bytesover the first ~256 payload bytes and asmall
bpf_loopscan for a curated set of cleartext signatures (Log4Shell${jndi:, Shellshock() {). Caveats spelled out: single-packet only(segment-split evasion), cleartext only (no TLS), verifier-bounded pattern
count/length. → Tier 2: bounded cleartext signature matching in eBPF (best-effort IPS) #661.
Tier 3 — userspace WAF behind eBPF steering. eBPF redirects flagged
flows into a host-side WAF (Coraza / ModSec CRS) that does reassembly, TLS
termination, and vendor signature sets. The only WAF-grade path; eBPF's role
shrinks to a fast classifier/redirector. → Tier 3: userspace WAF behind eBPF flow steering (WAF-grade virtual patching) #662.
Product hook
Wire to the existing security scanner: a CVE finding emits a virtual-patch
deny rule → reconcile pushes it → reconcile auto-expires it when the scanner
confirms the upstream patch landed. "Band-Aid until the real patch ships, then
auto-removed," end to end.
Honest constraints (why tiers, not one feature)
TLS payloads — so signature matching past Tier 1 is genuinely limited.
CONTAINARIUM_NETWORK_POLICY_BPF_OBJECTis set, and drops disarmed unlessCONTAINARIUM_NETWORK_POLICY_ENFORCE=1. A misbroad deny rule must notblackhole a container by default.
Design doc:
docs/security/VIRTUAL-PATCHING-DESIGN.md(added with Tier 1).Prior art in-tree:
docs/security/NETWORK-ISOLATION-DESIGN.md,experimental/ebpf-phaseA/netpolicy.bpf.c,internal/netbpf/,internal/server/network_policy_enforcer.go.