Skip to content

blacktop/seccomp-gen

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

seccomp-gen

Go Github All Releases GitHub release License

Docker Secure Computing Profile Generator


Why 🤔

This tool allows you to pipe the output of strace through it and will auto-generate a docker seccomp profile that can be used to only whitelist the syscalls your container needs to run and blacklists everything else.

This adds a LOT of security by drastically limiting your attack surface to only what is needed.

Syscall Arch Supported (so far)

  • SCMP_ARCH_X86
  • SCMP_ARCH_X32

Install

macOS

$ brew install blacktop/tap/seccomp-gen

linux/windows

Download from releases

Getting Started

$ strace -ff curl github.com 2>&1 | scgen -verbose

   • found syscall: execve
   • found syscall: brk
   • found syscall: access
   • found syscall: access
   • found syscall: openat
   • found syscall: fstat
   • found syscall: mmap
   ...
$ ls -lah

-rw-r--r--   1 blacktop  staff   6.7K Dec  1 21:23 seccomp.json

Inside Docker

Create a new Dockerfile

FROM <your>/<image>:<tag>
RUN apt-get update && apt-get install -y strace
CMD ["strace","-ff","/your-entrypoint.sh"]

Build scgen image

$ docker build -t <your>/<image>:scgen .

Generate seccomp profile from docker logs output

docker run --rm --security-opt seccomp=unconfined <your>/<image>:scgen 2>&1 | scgen -verbose

Use your 🆕 seccomp profile

docker run --rm --security-opt no-new-privileges --security-opt seccomp=/path/to/seccomp.json <your>/<image>:<tag>

Know Issue ⚠️

I have noticed that strace misses things, but if you run with the generate seccomp profile docker should tell you the next syscall it needs by erroring out. Then you can add that one manually and repeat the process.

Credits

TODO

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

License

MIT Copyright (c) 2018 blacktop