Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] - Generate seccomp profile by tracing the syscalls made by the container #3576

Closed
wants to merge 27 commits into from

Conversation

weirdwiz
Copy link
Collaborator

@weirdwiz weirdwiz commented Jul 15, 2019

This pull request adds the ability for podman to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would whitelist all the syscalls made and blacklist every other syscall.

The syscalls are traced by launching a binary by using the prestart OCI-hook. The binary started spawns a child process which attaches function enter_trace to the raw_syscalls:sys_enter tracepoint using eBPF. The function looks at all the syscalls made on the system and writes the syscalls which have the same PID namespace as the container to the perf buffer. The perf buffer is read by the process in the userspace and generates a seccomp profile when the container exits.

There are a few limitations to this approach:

  • Needs CAP_SYS_ADMIN to run
  • Compiles C code on the fly
  • Cannot use podman run --rm along with this ability

To build it, we need extra dependencies namely bcc-devel and kernel-headers for Fedora and bcc-tools and linux-headers-[..] for Ubuntu.

Interface:

sudo podman run --annotation io.podman.trace-syscall=[absolute path to the json file] IMAGE COMMAND

The profile will be created at the path provided to the annotation.

CIRRUS: TEST IMAGES

@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 15, 2019
@rh-atomic-bot
Copy link
Collaborator

Can one of the admins verify this patch?
I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

cmd/podman/shared/create.go Outdated Show resolved Hide resolved
pkg/adapter/containers.go Outdated Show resolved Hide resolved
@mheon
Copy link
Member

mheon commented Jul 15, 2019

/ok-to-test
/approve

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon, weirdwiz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2019
@giuseppe
Copy link
Member

This commit adds the flag --genseccomp to podman which can trace the syscalls made by a container and create a container profile from all the syscalls collected

I think this should go under podman generate

@vrothberg
Copy link
Member

This commit adds the flag --genseccomp to podman which can trace the syscalls made by a container and create a container profile from all the syscalls collected

I think this should go under podman generate

podman generate operates on running containers. I find it easier to just add a flag to podman-run and podman-create.

@rhatdan WDYT?

Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@weirdwiz, we need docs and bash-completion as well before we can merge.

@vrothberg
Copy link
Member

@weirdwiz, we need docs and bash-completion as well before we can merge.

And tests :^)

@weirdwiz
Copy link
Collaborator Author

@vrothberg Yes, I'm on it :D

@vrothberg vrothberg changed the title Generate seccomp profile by tracing the syscalls made by the container [WIP] - Generate seccomp profile by tracing the syscalls made by the container Jul 16, 2019
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
Signed-off-by: Divyansh Kamboj <[email protected]>
@vrothberg
Copy link
Member

Closing the PR as we created a dedicated project for the OCI hooks: https://github.com/containers/oci-seccomp-bpf-hook/

Thank you so much, @weirdwiz, for your great work! Looking forward to continue working with you over at https://github.com/containers/oci-seccomp-bpf-hook/ 🚀

@vrothberg vrothberg closed this Sep 22, 2019
@weirdwiz
Copy link
Collaborator Author

Thanks for the help and mentorship @vrothberg @rhatdan, wouldn't have been possible without it!

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 26, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. ok-to-test size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants