Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] - Generate seccomp profile by tracing the syscalls made by the container #3576

Closed
wants to merge 27 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
fbdffb9
Generate seccomp profile by tracing the syscalls made by the container
weirdwiz May 30, 2019
1c00790
Add comment to event struct
weirdwiz Jul 23, 2019
38372df
Refactor and comments, read syscalls after the exec call
weirdwiz Jul 25, 2019
b114464
Send signal to parent process when tracepoint attaches
weirdwiz Jul 25, 2019
72c20c3
Refactor and comments | use cgo structs
weirdwiz Jul 26, 2019
4316edf
Start writing test
weirdwiz Jul 29, 2019
60cac60
minor corrections in spelling
weirdwiz Jul 29, 2019
33a63ac
remove cgo use default structs
weirdwiz Jul 30, 2019
d2c0806
Record syscall after prctl() has been called
weirdwiz Aug 1, 2019
70f70d0
Use --annotation instead of flag for generate-seccomp
weirdwiz Aug 1, 2019
9151f00
Rename package bpf to bcc
weirdwiz Aug 1, 2019
da8ff64
Integration tests for generate-seccmop
weirdwiz Aug 1, 2019
d7ff5f5
Add install instructions for generate-seccomp
weirdwiz Aug 1, 2019
d101205
Fix tests
weirdwiz Aug 2, 2019
74d84e6
Fix lint error gobpf
weirdwiz Aug 9, 2019
e6f4a51
CIRRUS: bcc packages to the image
weirdwiz Aug 15, 2019
93e9e59
Build only when libbcc is present
weirdwiz Aug 22, 2019
fd85333
Fix linting errors
weirdwiz Aug 23, 2019
44c5b6f
Use buildtags to build oci-trace-hook
weirdwiz Aug 24, 2019
c534b97
Install bcc-devel on F30 and above
weirdwiz Aug 30, 2019
95296f6
Remove extra lines
weirdwiz Aug 30, 2019
28e19c8
Remove unnecessary packages from `ubuntu_setup.sh`
weirdwiz Sep 6, 2019
8372ffe
Fix repeating comments
weirdwiz Sep 6, 2019
59f1eab
Fix hook install destination
weirdwiz Sep 7, 2019
54c0fc8
Sort the syscalls written in the json file
weirdwiz Sep 14, 2019
0d91b3c
Add the repository url only to bionic
weirdwiz Sep 15, 2019
fb95d0e
fix hook install dir
weirdwiz Sep 20, 2019
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
FROM golang:1.12

RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD \
&& echo "deb https://repo.iovisor.org/apt/bionic bionic main" | tee /etc/apt/sources.list.d/iovisor.list

RUN apt-get update && apt-get install -y \
apparmor \
autoconf \
automake \
bcc-tools \
bison \
build-essential \
curl \
Expand Down Expand Up @@ -34,6 +38,7 @@ RUN apt-get update && apt-get install -y \
libdevmapper-dev \
libgpgme11-dev \
liblzma-dev \
libtinfo5 \
netcat \
socat \
lsof \
Expand Down
28 changes: 26 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ BINDIR ?= ${PREFIX}/bin
LIBEXECDIR ?= ${PREFIX}/libexec
MANDIR ?= ${PREFIX}/share/man
SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
HOOK_BIN_DIR ?= ${PREFIX}/libexec/oci/hooks.d/
ETCDIR ?= /etc
HOOK_DIR ?= ${ETCDIR}/containers/oci/hooks.d/
TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
USERSYSTEMDDIR ?= ${PREFIX}/lib/systemd/user
Expand All @@ -34,6 +36,7 @@ BUILDTAGS ?= \
seccomp \
varlink

BUILDTAG_TRACE_HOOK ?= $(shell hack/generate_seccomp_tag.sh)
GO_BUILD=$(GO) build
# Go module support: set `-mod=vendor` to use the vendored sources
ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
Expand All @@ -46,6 +49,12 @@ $(warning \
Install libsystemd for journald support)
endif

ifeq (,$(BUILDTAG_TRACE_HOOK))
$(warning \
Podman is being compiled without the oci_trace_hook build tag.\
Install libbcc to use the oci-trace-hook)
endif

BUILDTAGS_CROSS ?= containers_image_openpgp containers_image_ostree_stub exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay
ifneq (,$(findstring varlink,$(BUILDTAGS)))
PODMAN_VARLINK_DEPENDENCIES = cmd/podman/varlink/iopodman.go
Expand Down Expand Up @@ -306,7 +315,7 @@ run-perftest: perftest ## Build and run perf tests
vagrant-check:
BOX=$(BOX) sh ./vagrant.sh

binaries: varlink_generate podman podman-remote ## Build podman
binaries: varlink_generate podman podman-remote oci-trace-hook ## Build podman

install.catatonit:
./hack/install_catatonit.sh
Expand Down Expand Up @@ -394,7 +403,7 @@ changelog: ## Generate changelog
$(shell cat $(TMPFILE) >> changelog.txt)
$(shell rm $(TMPFILE))

install: .gopathok install.bin install.remote install.man install.cni install.systemd ## Install binaries to system locations
install: .gopathok install.bin install.remote install.man install.cni install.systemd install.oci-trace-hook ## Install binaries to system locations

install.remote: podman-remote
install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(BINDIR)
Expand Down Expand Up @@ -498,6 +507,21 @@ endef
make all install; \
fi


install.oci-trace-hook:
if [ ! -z "$(BUILDTAG_TRACE_HOOK)" ]; then \
install ${SELINUXOPT} -d -m 755 ${DESTDIR}$(HOOK_BIN_DIR); \
install ${SELINUXOPT} -d -m 755 ${DESTDIR}$(HOOK_DIR) ; \
install ${SELINUXOPT} -m 755 bin/oci-trace-hook ${DESTDIR}$(HOOK_BIN_DIR) ; \
install ${SELINUXOPT} -m 644 cmd/oci-trace-hook/oci-trace-hook-run.json ${DESTDIR}$(HOOK_DIR) ; \
install ${SELINUXOPT} -m 644 cmd/oci-trace-hook/oci-trace-hook-stop.json ${DESTDIR}$(HOOK_DIR) ; \
fi

oci-trace-hook:
if [ ! -z "$(BUILDTAG_TRACE_HOOK)" ] ; then \
$(GO_BUILD) -tags $(BUILDTAG_TRACE_HOOK) -o bin/oci-trace-hook $(PROJECT)/cmd/oci-trace-hook; \
fi

varlink_generate: .gopathok cmd/podman/varlink/iopodman.go ## Generate varlink
varlink_api_generate: .gopathok API.md

Expand Down
18 changes: 18 additions & 0 deletions cmd/oci-trace-hook/oci-trace-hook-run.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"version": "1.0.0",
"hook": {
"path": "/usr/local/libexec/oci/hooks.d/oci-trace-hook",
"args": [
"oci-trace-hook",
"-s"
]
},
"when": {
"annotations": {
"io.containers.trace-syscall": ".*"
}
},
"stages": [
"prestart"
]
}
18 changes: 18 additions & 0 deletions cmd/oci-trace-hook/oci-trace-hook-stop.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"version": "1.0.0",
"hook": {
"path": "/usr/local/libexec/oci/hooks.d/oci-trace-hook",
"args": [
"oci-trace-hook",
"-t"
]
},
"when": {
"annotations": {
"io.containers.trace-syscall": ".*"
}
},
"stages": [
"poststop"
]
}
Loading