BpfJailer - Sandbox Any Process
Lock down applications with fine-grained security controls. Define what files they can access, which network connections they can make, and what programs they can run - all without modifying the application itself.
/ demo
See It In Action
Watch how BpfJailer sandboxes a process and blocks unauthorized file access, network connections, and program execution in real-time.
/ what it does
Application Security Made Simple
Control File Access
Decide which files and directories an application can read or write. Block access to sensitive system files automatically.
Limit Network Access
Restrict which ports and protocols an application can use. Allow only the connections your app actually needs.
Block Execution
Prevent applications from spawning shells or running other programs. Stop attackers from executing malicious code.
/ use cases
Where to Use BpfJailer
Web Applications
Lock down your web servers to only serve content on ports 80/443. Even if an attacker finds a vulnerability, they can't access your database or make outbound connections.
Container Workloads
Add an extra layer of security to Docker containers. BpfJailer enforces policies at the kernel level, providing defense-in-depth for containerized apps.
Microservices
Give each service only the permissions it needs. Your API gateway can accept connections, but your background workers stay isolated from the network.
Untrusted Code
Running third-party scripts or plugins? Sandbox them so they can't access files or network resources outside their designated area.
/ protection
Attacks BpfJailer Blocks
Data Theft
Block attackers from reading sensitive files like passwords, configs, or customer data.
Reverse Shells
Stop attackers from establishing connections back to their servers to control your system.
Crypto Miners
Prevent malware from downloading and running crypto mining software on your servers.
SSRF Attacks
Block applications from being tricked into accessing internal services or cloud metadata endpoints.
Privilege Escalation
Prevent attackers from reading password files or modifying system configuration.
Command Injection
Stop attackers from exploiting input fields to run shell commands on your server.
/ security profiles
Pre-Built Security Roles
Choose from ready-to-use profiles or create custom ones. Each role defines what the application can and cannot do.
| Role | File Access | Network | Run Programs |
|---|---|---|---|
| restricted | Blocked | Blocked | Blocked |
| permissive | Allowed | Allowed | Allowed |
| webserver | Allowed | HTTP/HTTPS only | Blocked |
| database | Allowed | DB ports only | Blocked |
| isolated | Allowed | Blocked | Blocked |
| web_with_db | Allowed | Web + DB ports | Blocked |
| worker | Allowed | HTTPS + queues | Allowed |
/ comparison
BpfJailer vs SELinux
Traditional MAC solutions like SELinux are powerful but complex. BpfJailer offers a simpler, more flexible approach.
| Feature | BpfJailer | SELinux |
|---|---|---|
| Setup Complexity | Simple JSON policies | Complex policy language |
| Learning Curve | Minutes to start | Weeks to master |
| Per-Process Control | Easy enrollment API | Requires policy contexts |
| Dynamic Policies | Runtime changes | Requires recompilation |
| Network Filtering | Per-port rules built-in | Limited, needs iptables |
| Container Support | Works alongside Docker | Often disabled in containers |
| Kernel Module | No compilation needed | Built into kernel |
/ how it works
Simple Three-Step Process
Start the Daemon
Run the BpfJailer daemon on your server. It loads security policies and monitors all processes.
Assign a Role
Enroll your application with a security role. The role determines what the app can access.
Protected
Your app is now sandboxed. Any action outside its role permissions is automatically blocked.
Start Protecting Your Applications
Add an extra layer of security to any Linux application. No code changes required.
