[WIP] - Generate seccomp profile by tracing the syscalls made by the container #3576

weirdwiz · 2019-07-15T13:55:21Z

This pull request adds the ability for podman to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would whitelist all the syscalls made and blacklist every other syscall.

The syscalls are traced by launching a binary by using the prestart OCI-hook. The binary started spawns a child process which attaches function enter_trace to the raw_syscalls:sys_enter tracepoint using eBPF. The function looks at all the syscalls made on the system and writes the syscalls which have the same PID namespace as the container to the perf buffer. The perf buffer is read by the process in the userspace and generates a seccomp profile when the container exits.

There are a few limitations to this approach:

Needs CAP_SYS_ADMIN to run
Compiles C code on the fly
Cannot use podman run --rm along with this ability

To build it, we need extra dependencies namely bcc-devel and kernel-headers for Fedora and bcc-tools and linux-headers-[..] for Ubuntu.

Interface:

sudo podman run --annotation io.podman.trace-syscall=[absolute path to the json file] IMAGE COMMAND

The profile will be created at the path provided to the annotation.

CIRRUS: TEST IMAGES

rh-atomic-bot · 2019-07-15T14:03:58Z

Can one of the admins verify this patch?
I understand the following commands:

bot, add author to whitelist
bot, test pull request
bot, test pull request once

cmd/podman/shared/create.go

cmd/podman/oci-trace-hook/trace.go

pkg/adapter/containers.go

mheon · 2019-07-15T14:48:52Z

/ok-to-test
/approve

openshift-ci-robot · 2019-07-15T14:48:55Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon, weirdwiz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

giuseppe · 2019-07-15T17:47:15Z

This commit adds the flag --genseccomp to podman which can trace the syscalls made by a container and create a container profile from all the syscalls collected

I think this should go under podman generate

vrothberg · 2019-07-16T09:14:43Z

This commit adds the flag --genseccomp to podman which can trace the syscalls made by a container and create a container profile from all the syscalls collected

I think this should go under podman generate

podman generate operates on running containers. I find it easier to just add a flag to podman-run and podman-create.

@rhatdan WDYT?

vrothberg

@weirdwiz, we need docs and bash-completion as well before we can merge.

vrothberg · 2019-07-16T09:18:15Z

@weirdwiz, we need docs and bash-completion as well before we can merge.

And tests :^)

weirdwiz · 2019-07-16T09:32:47Z

@vrothberg Yes, I'm on it :D

Signed-off-by: Divyansh Kamboj <[email protected]>

vrothberg · 2019-09-22T08:21:04Z

Closing the PR as we created a dedicated project for the OCI hooks: https://github.com/containers/oci-seccomp-bpf-hook/

Thank you so much, @weirdwiz, for your great work! Looking forward to continue working with you over at https://github.com/containers/oci-seccomp-bpf-hook/ 🚀

weirdwiz · 2019-09-22T08:59:00Z

Thanks for the help and mentorship @vrothberg @rhatdan, wouldn't have been possible without it!

openshift-ci-robot requested review from TomSweeneyRedHat and rhatdan July 15, 2019 13:55

openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 15, 2019