seccomp-gen

command module

v1.2.4 Latest Latest Go to latest Published: Oct 26, 2022 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/4armed/seccomp-gen

Links

Open Source Insights

README ¶

seccomp-gen

Docker Secure Computing Profile Generator

Why 🤔

This tool allows you to pipe the output of strace through it and will auto-generate a docker seccomp profile that can be used to only whitelist the syscalls your container needs to run and blacklists everything else.

This adds a LOT of security by drastically limiting your attack surface to only what is needed.

Syscall Arch Supported (so far)

SCMP_ARCH_X86
SCMP_ARCH_X32

Install

macOS

$ brew install blacktop/tap/seccomp-gen

linux/windows

Download from releases

Getting Started

$ strace -ff curl github.com 2>&1 | scgen -verbose

   • found syscall: execve
   • found syscall: brk
   • found syscall: access
   • found syscall: access
   • found syscall: openat
   • found syscall: fstat
   • found syscall: mmap
   ...

$ ls -lah

-rw-r--r--   1 blacktop  staff   6.7K Dec  1 21:23 seccomp.json

Inside Docker

Create a new Dockerfile

FROM <your>/<image>:<tag>
RUN apt-get update && apt-get install -y strace
CMD ["strace","-ff","/your-entrypoint.sh"]

Build scgen image

$ docker build -t <your>/<image>:scgen .

Generate seccomp profile from docker logs output

docker run --rm --security-opt seccomp=unconfined <your>/<image>:scgen 2>&1 | scgen -verbose

Use your 🆕 seccomp profile

docker run --rm --security-opt no-new-privileges --security-opt seccomp=/path/to/seccomp.json <your>/<image>:<tag>

Know Issue ⚠

I have noticed that strace misses things, but if you run with the generate seccomp profile docker should tell you the next syscall it needs by erroring out. Then you can add that one manually and repeat the process.