-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] - Generate seccomp profile by tracing the syscalls made by the container #3576
Conversation
Can one of the admins verify this patch?
|
/ok-to-test |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon, weirdwiz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I think this should go under |
@rhatdan WDYT? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@weirdwiz, we need docs and bash-completion as well before we can merge.
And tests :^) |
@vrothberg Yes, I'm on it :D |
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Closing the PR as we created a dedicated project for the OCI hooks: https://github.com/containers/oci-seccomp-bpf-hook/ Thank you so much, @weirdwiz, for your great work! Looking forward to continue working with you over at https://github.com/containers/oci-seccomp-bpf-hook/ 🚀 |
Thanks for the help and mentorship @vrothberg @rhatdan, wouldn't have been possible without it! |
This pull request adds the ability for podman to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would whitelist all the syscalls made and blacklist every other syscall.
The syscalls are traced by launching a binary by using the
prestart
OCI-hook. The binary started spawns a child process which attaches functionenter_trace
to theraw_syscalls:sys_enter
tracepoint using eBPF. The function looks at all the syscalls made on the system and writes the syscalls which have the same PID namespace as the container to the perf buffer. The perf buffer is read by the process in the userspace and generates a seccomp profile when the container exits.There are a few limitations to this approach:
CAP_SYS_ADMIN
to runpodman run --rm
along with this abilityTo build it, we need extra dependencies namely
bcc-devel
andkernel-headers
for Fedora andbcc-tools
andlinux-headers-[..]
for Ubuntu.Interface:
The profile will be created at the path provided to the annotation.
CIRRUS: TEST IMAGES