Comments (12)
This method is ideal for long running containers which would be "monitored" as its functionality is being used, as it only captures the syscalls made during the execution of the container being observed. The more permutations of execution paths ran, the more accurate will be the resulting profile.
A challenge on using seccomp-bpf-hook on a cluster is that it will need to run as root and with CAP_SYS_ADMIN
capability, which effectively allows that container to bypass a considerable amount of security isolation primitives in the nodes. This can put end-users at risk if they were to decide using such feature in production or mixed usage clusters/nodes.
Ideally such approach would be used on ephemeral non-production clusters with the assistance of E2E tests which would be executed against the container being observed.
from security-profiles-operator.
/assign
I'll take over the work from @rhafer :)
from security-profiles-operator.
/priority important-longterm
from security-profiles-operator.
Moving to v2.
from security-profiles-operator.
cc @rhafer @ereslibre @mrostecki
from security-profiles-operator.
I did a bit of reasearch, i just want to cross-reference them:
cri-containerd
doesn't support oci-hooks yet, this is IMO a major blocker for this (containerd/containerd#6645)- ftrace could be a different option (depends on oci-hooks, but doesn't require kernel headers): https://github.com/KentaTada/oci-ftrace-syscall-analyzer
- we could talk to containerd directly to get a PID and inject the eBPF tracer after the container starts (far from ideal, but currently possible)
from security-profiles-operator.
Interesting approaches @moolen and thank you for the insights. 🙏 From my perspective the most clean way would be to let containerd suppport OCI hooks, where I see no major blockers for it. 🤷
from security-profiles-operator.
A challenge on using seccomp-bpf-hook on a cluster is that it will need to run as root and with
CAP_SYS_ADMIN
capability, which effectively allows that container to bypass a considerable amount of security isolation primitives in the nodes. This can put end-users at risk if they were to decide using such feature in production or mixed usage clusters/nodes.
@pjbgf Isn't it only the hook itself that needs CAP_SYS_ADMIN
(in order to setup the bpf tracer). IIUC this doesn't mean that the container itself needs the CAP_SYS_ADMIN
capability.
from security-profiles-operator.
I did a bit of reasearch, i just want to cross-reference them:
cri-containerd
doesn't support oci-hooks yet, this is IMO a major blocker for this (containerd/containerd#6645)- ftrace could be a different option (depends on oci-hooks, but doesn't require kernel headers): https://github.com/KentaTada/oci-ftrace-syscall-analyzer
Yeah, that might be worth a look. Another option would be to utilize the seccomp notifcation mechanism (as already mentioned in initial post), but that does require some changes on lower level runtimes (runc
, crun
, ...)
- we could talk to containerd directly to get a PID and inject the eBPF tracer after the container starts (far from ideal, but currently possible)
Hm, I guess at that point it might already have missed a couple of syscalls? So result would be imcomplete. I agree with @saschagrunert here, it would be cool if containerd would finally get support for oci-hooks.
from security-profiles-operator.
@pjbgf Isn't it only the hook itself that needs
CAP_SYS_ADMIN
(in order to setup the bpf tracer). IIUC this doesn't mean that the container itself needs theCAP_SYS_ADMIN
capability.
Very fair observation. Overall my concern is that requiring users to have something running with CAP_SYS_ADMIN
capability within their clusters may lead a few potential route of privesc/security features bypass that cannot go unchecked. This is not a show stopper in itself, however we need to think what compensating controls we would put in place to limit potential damage.
Once we get to a working prototype we can brainstorm around it.
from security-profiles-operator.
Let's close this for now, more enhancements to the feature to come.
/close
from security-profiles-operator.
@saschagrunert: Closing this issue.
In response to this:
Let's close this for now, more enhancements to the feature to come.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from security-profiles-operator.
Related Issues (20)
- How to log only unique syscalls in audit log file - Security-Profiles-Operator HOT 8
- Vagrant based tests are failing HOT 12
- Autogenerated clientset to access SPO seccompprofile CRs HOT 4
- Support for --http2-disable flag in metrics pod HOT 6
- Running e2e tests on OpenShift hang HOT 1
- AKS spod STATE : UPDATING HOT 12
- Release v0.8.1
- getting owner profile: the node status owner is of an unknown kind HOT 3
- Manage SELinux booleans HOT 10
- tolerations not honoured HOT 4
- AKS eBPF recording HOT 15
- Can not re-install SPO HOT 1
- ignore istio init container while eBPF profiling HOT 8
- AppArmor does not work HOT 15
- Release v0.8.2 HOT 1
- [Question] Disable webhook deployment HOT 4
- Seeing Policy Violations HOT 6
- Security Profiles Operator should support dynamic infrastructures HOT 4
- Release v0.8.3 HOT 1
- deletion of a `SelinuxProfile` object hangs forever HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-profiles-operator.