avilum / secimport Goto Github PK
View Code? Open in Web Editor NEWeBPF Python runtime sandbox with seccomp (Blocks RCE).
Home Page: https://avilum.github.io/secimport/
License: MIT License
eBPF Python runtime sandbox with seccomp (Blocks RCE).
Home Page: https://avilum.github.io/secimport/
License: MIT License
Describe the bug
ModuleNotFoundError: No module named 'numpy'
To Reproduce
Steps to reproduce the behavior:
>>> import secimport
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".venv/lib/python3.10/site-packages/secimport/__init__.py", line 1, in <module>
from secimport.sandbox_helper import secure_import
File ".venv/lib/python3.10/site-packages/secimport/sandbox_helper.py", line 13, in <module>
from numpy import isin
ModuleNotFoundError: No module named 'numpy'
Desktop (please complete the following information):
Make the dtrace destructive attribute optional.
it can be done by crating a variable in the for “PRAGMA destructive” header in the template.
Hello,
I don't understand the following since the documentation show that the attribute exists: https://docs.python.org/3.9/library/importlib.html
>>> os = secure_import('os', allow_shells=False)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 50, in secure_import
assert run_dtrace_script_for_module(
File "dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 81, in run_dtrace_script_for_module
module_file_path = create_dtrace_script_for_module(
File "dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 128, in create_dtrace_script_for_module
module = importlib.machinery.PathFinder().find_spec(module_name)
AttributeError: module 'importlib' has no attribute 'machinery'
UPDATE: This is not the issue of concern, see comments.
Describe the bug
`secimport interactive
Welcome to secimport!
Continue? (y): y
Tracing using ['/home/lukas/venv/lib/python3.10/site-packages/secimport/profiles/trace.bt', '-c', '/home/lukas/venv/bin/python', '-o', 'trace.log', '/home/lukas/venv/bin/python']
Press CTRL+D or CTRL+C to stop the trace gracefully.
ERROR: Unknown error -1: couldn't set RLIMIT_MEMLOCK for bpftrace. If your program is not loading, you can try "ulimit -l 8192" to fix the problem
/home/lukas/venv/lib/python3.10/site-packages/secimport/profiles/trace.bt:703-705: ERROR: tracepoint not found: raw_syscalls:sys_enter
The trace log is at ./trace.log
Running "secimport build"; it compiles ./trace.log which is the trace log to ./sandbox.bt
syscalls:
nsjail sandbox: nsjail -Ml -Mo --chroot / --port 8000 --user 99999 --group 99999 --seccomp_string 'ALLOW { } DEFAULT KILL' -- /home/lukas/venv/bin/python -i
Policy is ready: policy.yaml policy.json
[info] Creating profile for general_requirements
[debug] adding syscall vfork to blocklist for module general_requirements
[debug] adding syscall clone to blocklist for module general_requirements
[debug] adding syscall access to blocklist for module general_requirements
[debug] adding syscall chdir to blocklist for module general_requirements
[debug] adding syscall creat to blocklist for module general_requirements
[debug] adding syscall dup to blocklist for module general_requirements
[debug] adding syscall dup2 to blocklist for module general_requirements
[debug] adding syscall execve to blocklist for module general_requirements
[debug] adding syscall faccessat to blocklist for module general_requirements
[debug] adding syscall fcntl to blocklist for module general_requirements
[debug] adding syscall fdatasync to blocklist for module general_requirements
[debug] adding syscall fork to blocklist for module general_requirements
[debug] adding syscall fstat to blocklist for module general_requirements
[debug] adding syscall fsync to blocklist for module general_requirements
[debug] adding syscall getegid to blocklist for module general_requirements
[debug] adding syscall geteuid to blocklist for module general_requirements
[debug] adding syscall getgid to blocklist for module general_requirements
[debug] adding syscall getgroups to blocklist for module general_requirements
[debug] adding syscall getpid to blocklist for module general_requirements
[debug] adding syscall getppid to blocklist for module general_requirements
[debug] adding syscall getrlimit to blocklist for module general_requirements
[debug] adding syscall getsockname to blocklist for module general_requirements
[debug] adding syscall getsid to blocklist for module general_requirements
[debug] adding syscall getuid to blocklist for module general_requirements
[debug] adding syscall ioctl to blocklist for module general_requirements
[debug] adding syscall link to blocklist for module general_requirements
[debug] adding syscall lseek to blocklist for module general_requirements
[debug] adding syscall lstat to blocklist for module general_requirements
[debug] adding syscall mkdir to blocklist for module general_requirements
[debug] adding syscall mknod to blocklist for module general_requirements
[debug] adding syscall open to blocklist for module general_requirements
[debug] adding syscall openat to blocklist for module general_requirements
[debug] adding syscall pipe to blocklist for module general_requirements
[debug] adding syscall poll to blocklist for module general_requirements
[debug] adding syscall read to blocklist for module general_requirements
[debug] adding syscall readlink to blocklist for module general_requirements
[debug] adding syscall readv to blocklist for module general_requirements
[debug] adding syscall recvfrom to blocklist for module general_requirements
[debug] adding syscall recvmsg to blocklist for module general_requirements
[debug] adding syscall rename to blocklist for module general_requirements
[debug] adding syscall rmdir to blocklist for module general_requirements
[debug] adding syscall select to blocklist for module general_requirements
[debug] adding syscall sendmsg to blocklist for module general_requirements
[debug] adding syscall sendto to blocklist for module general_requirements
[debug] adding syscall setgid to blocklist for module general_requirements
[debug] adding syscall setgroups to blocklist for module general_requirements
[debug] adding syscall setpgid to blocklist for module general_requirements
[debug] adding syscall setpriority to blocklist for module general_requirements
[debug] adding syscall setregid to blocklist for module general_requirements
[debug] adding syscall setreuid to blocklist for module general_requirements
[debug] adding syscall setrlimit to blocklist for module general_requirements
[debug] adding syscall setsid to blocklist for module general_requirements
[debug] adding syscall setsockopt to blocklist for module general_requirements
[debug] adding syscall stat to blocklist for module general_requirements
[debug] adding syscall symlink to blocklist for module general_requirements
[debug] adding syscall truncate to blocklist for module general_requirements
[debug] adding syscall umask to blocklist for module general_requirements
[debug] adding syscall utime to blocklist for module general_requirements
[debug] adding syscall utimes to blocklist for module general_requirements
[debug] adding syscall write to blocklist for module general_requirements
[debug] adding syscall writev to blocklist for module general_requirements
The profile does not contain any modules: policy.yaml
Traceback (most recent call last):
File "/home/lukas/venv/bin/secimport", line 8, in
sys.exit(main())
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 424, in main
fire.Fire(SecImportCLI())
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 141, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 475, in _Fire
component, remaining_args = _CallAndUpdateTrace(
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 691, in _CallAndUpdateTrace
component = fn(*varargs, **kwargs)
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 399, in interactive
SecImportCLI.build()
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 292, in build
bpftrace_sandbox_filename = SecImportCLI.compile_sandbox_from_profile(
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 165, in compile_sandbox_from_profile
raise AssertionError(
AssertionError: The trace file 'policy.yaml' has 0 modules. A valid policy should include at least 1 module.`
To Reproduce
Steps to reproduce the behavior:
RUN apt update
&& apt -y upgrade
RUN apt -y install build-essential git bpftrace vim python3.10-venv`
in the container, as root, build and activate venv
python3 -m venv venv
source venv/bin/activate
install secimport
python -m pip install secimport
verify --with-dtrace, success
readelf -n $(which python) | grep -i function__entry
output: Name: function__entry
run secimport
secimport interactive
DOD: Enable users to import modules with only specific syscalls.
e.g:
secure_import(..., allow_syscalls=['read', 'select', ...])
secure_import(..., disallow_syscalls=['forkexec', 'chroot', ...])
secure_import(..., allow_syscalls=[('read', '/tmp/'), ...]
Enable running out of band - without replacing the imports in the code.
secure_import
in the code.A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.