Using eBPF instead of kernel patch for container measurement

[dongx1x]

There are two proposals for IMA-based container-level measurement:

1. IMA namespace
2. IMA Cgroups template

We are currently using the cgpath template and applying two kernel patches. However, the kernel patches RFC has been archived, and the author no longer updated it. eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module, maybe we can use eBPF to replace the kernel patches.

Here is an example of extending the IMA to container measurement without changes to the kernel: https://github.com/avery-blanchard/container-ima

[wenhuizhang]

Good idea, Let us look into it, and see if the current eBPF helper supports digest list.