security: Container Monitoring LSM

The container monitoring LSM collects information about containerized
processes and relay it to a VMM backend through vsock or user-mode
through a shared pipe. It can be enabled and configured directly from
the VMM backend or from user-mode.

Information captured:
 - Process arguments.
 - Environment variables.
 - File layer for overlayfs.
 - stdin, stdout and stderr modes.
 - Unique identifier for processes.
 - Relay container information and link it to existing instances.
 - Process exit.

Enhancement included from original implementation:
 - Use workqueue to dispatch events to pipe or vsock.
 - Optimize memory usage to match target events in 99% cases.
 - Identify kubectl/docker exec session by using new pid_namespace field.
 - Fix process unique identifier to use the task group leader start time.
 - Fetch more information files. For example, on socket files fetch the
   family and full ip.
 - Track the first process writing a file on the upper overlayfs layer
   (ephemeral), using security extended attribtues (security.csm).
 - Track clone events.
 - Track mapping of files as executable (libraries).
 - When enabled, enumerate all existing processes.
 - Clean the pipe and all data when the LSM is disabled.
 - Add option to fully enabled the LSM at boot (used for testing only).
 - Disable vsock by default.
 - Expose stats through sysfs to identify dropped events or issues.
 - Add dependencies to MMU and x86_64.
 - Optimizations to nanopb build.

Include contributions from:
 - John Davis <>
 - Peter Martincic <>
 - Leo Linsky
 - Chi-fan Chu
 - Ming Zou

Messages are encoded using protobuf and nanopb. Github depot for

TEST=Build, boot and GCP internal testing.

Signed-off-by: Thomas Garnier <>
Tested-by: Thomas Garnier <>
Change-Id: I15b97b6ad45edc2b5cec5b50a52a60cd4880024e
Commit-Queue: Vaibhav Rustagi <>
Reviewed-by: Vaibhav Rustagi <>
Tested-by: Vaibhav Rustagi <>
29 files changed