Introduction to Seccomp: BPF linux syscall filter
来源:互联网 发布:六十知天命 编辑:程序博客网 时间:2024/06/06 05:32
- Seccomp Introduction
- Seccomp Security Profiles for Docker
2.1 Docker default seccomp profile
2.2 Use custom Seccomp profile
2.3 Docker Run without the default seccomp profile - Seccomp Security Profiles for Kubernetes
3.1 Kubernetes default seccomp profile
3.2 Kubernetes Use runtime default profile
3.3 Kubernetes Use custom Seccomp profile - Seccomp
1. Seccomp Introduction
Seccomp filtering provides a means for a process to specify a filter for
incoming system calls. This filter is defined by Berkeley Packet
Filter(BPF) rules
Seccomp通过为进程指定一个过滤器的途径来过滤Linux系统调用,该过滤器使用BPF来定义过滤的规则
Secure computing mode (Seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp:
Seccomp是Linux Kernel的特性,可以使用它来过滤容器内可用的系统调用,要使用该特性必须满足以下条件:
Linux Kernel 3.5 or higher && CONFIG_SECCOMP=y
root@kube-master:~# cat /boot/config-`uname -r` | grep CONFIG_SECCOMPCONFIG_SECCOMP_FILTER=yCONFIG_SECCOMP=y
2. Seccomp Security Profiles for Docker
Docker 使用该特性必须满足以下条件:
1. Linux Kernel 3.5 or higher && CONFIG_SECCOMP=y
2. Seccomp profiles require seccomp 2.2.1 or higher
3. Version of Docker 1.10 or higher
2.1 Docker default seccomp profile
The default seccomp profile provides a sane default for running containers with seccomp and disables around 52 system calls out of 300+. It is moderately protective while providing wide application compatibility. The default Docker profile (found here) has a JSON layout.
Significant syscalls blocked by the default profile
Docker’s default seccomp profile is a whitelist which specifies the calls that are allowed. The table below lists the significant (but not all) syscalls that are effectively blocked because they are not on the whitelist. The table includes the reason each syscall is blocked rather than white-listed
2.2 Use custom Seccomp Profiles
When you run a container, it uses the default profile unless you override it with the security-opt
option. For example, the following explicitly specifies the default policy:
$ docker run --rm -it --security-opt seccomp=/etc/docker/seccomp/profile.json hello-world
2.3 Docker Run without the default seccomp profile
You can pass unconfined(无限制,无约束) to run a container without the default seccomp profile.
$ docker run --rm -it --security-opt seccomp=unconfined debian:jessie \ unshare --map-root-user --user sh -c whoami
3. Seccomp Security Profiles for Kubernetes
Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in Kubernetes cluster
Kubernetes 使用该特性必须满足以下条件:
1. Linux Kernel 3.5 or higher && CONFIG_SECCOMP=y
2. Seccomp profiles require seccomp 2.2.1 or higher
3. Version of Docker 1.10 or higher
4. Version of Kubernetes 1.3.0-beta.2 or higher
3.1 Kubernetes default seccomp profile
Containers are run with unconfined seccomp settings by default
在默认情况下Kubernetes使用unconfined,既对创建出来所有容器中的系统调用不做限制, 所以存在安全隐患!
Here’s an example of a pod that uses the unconfined profile:
apiVersion: v1kind: Podmetadata: name: trustworthy-pod annotations: seccomp.security.alpha.kubernetes.io/pod: unconfinedspec: containers: - name: trustworthy-container image: sotrustworthy:latest
3.2 Kubernetes Use runtime default profile
To bind a specific profile to a Pod, you can use the following alpha annotations:
Specify a Seccomp profile for all containers of the Pod:
seccomp.security.alpha.kubernetes.io/pod
Specify a Seccomp profile for an individual container:
container.seccomp.security.alpha.kubernetes.io/${container_name}
<profile-name>
the profile installed to the node’s local seccomp profile rootExample :
Here’s an example of a pod that uses a profile called runtime/default using the container-level annotation:
apiVersion: v1kind: Podmetadata: name: explorer annotations: container.seccomp.security.alpha.kubernetes.io/explorer: runtime/defaultspec: containers: - name: explorer image: gcr.io/google_containers/explorer:1.0 args: ["-port=8080"] ports: - containerPort: 8080 protocol: TCP volumeMounts: - mountPath: "/mount/test-volume" name: test-volume volumes: - name: test-volume emptyDir: {}
3.3 Kubernetes Use custom Seccomp profile
使用自定义Seccomp profile的步骤:
3.3.1 在每个kubelet工作节点上指定seccomp profile root路径
--seccomp-profile-root string Directory path for seccomp profiles. (default "/var/lib/kubelet/seccomp")
3.3.2 在seccomp profile root路径中创建符合BPF规则的profile
N/A 参考2.1中docker默认的BPF rule
3.3.3 在创建容器的时候指定自定义的profile
seccomp.security.alpha.kubernetes.io/pod:localhost/`<profile-name>`
3.3.4 示例
To bind a specific profile to a Pod, you can use the following alpha annotations:
Specify a Seccomp profile for all containers of the Pod:
seccomp.security.alpha.kubernetes.io/pod
Specify a Seccomp profile for an individual container:
container.seccomp.security.alpha.kubernetes.io/${container_name}
<profile-name>
the profile installed to the node’s local seccomp profile rootIf you want to use use custom profiles (prefixed with localhost/), you have to copy these to all worker nodes in your cluster. The default folder for profiles is /var/lib/kubelet/seccomp.
Example 1 :
Here’s an example of a pod that uses a profile called example-explorer-profile using the container-level annotation:
Seccomp Profile /var/lib/kubelet/seccomp/example-explorer-profile
apiVersion: v1kind: Podmetadata: name: explorer annotations: container.seccomp.security.alpha.kubernetes.io/explorer: localhost/example-explorer-profilespec: containers: - name: explorer image: gcr.io/google_containers/explorer:1.0 args: ["-port=8080"] ports: - containerPort: 8080 protocol: TCP volumeMounts: - mountPath: "/mount/test-volume" name: test-volume volumes: - name: test-volume emptyDir: {}
Example: How to prevent chmod syscall
In this example we spin up two Pods. Both try to change the permissions on a file. While the Pod chmod-unconfined runs with the default profile of Docker and exits successfully, the same command in Pod chmod-prevented fails, as it is not allowed by its Seccomp profile.
Seccomp Profile /var/lib/kubelet/seccomp/prevent-chmod{ "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ]}
apiVersion: v1kind: Podmetadata: name: chmod-unconfinedspec: containers: - name: chmod image: busybox command: - "chmod" args: - "666" - /etc/hostname restartPolicy: Never---apiVersion: v1kind: Podmetadata: name: chmod-prevented annotations: seccomp.security.alpha.kubernetes.io/pod: localhost/prevent-chmodspec: containers: - name: chmod image: busybox command: - "chmod" args: - "666" - /etc/hostname restartPolicy: Never
$ kubectl create -f seccomp-pods.yamlpod "chmod-unconfined" createdpod "chmod-prevented" created$ kubectl get pods -aNAME READY STATUS RESTARTS AGEchmod-prevented 0/1 Error 0 8schmod-unconfined 0/1 Completed 0 8s
Reference:
https://github.com/kubernetes/kubernetes/blob/release-1.4/docs/design/seccomp.md
https://docs.docker.com/engine/security/seccomp/
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://github.com/torvalds/linux/tree/master/samples/seccomp
https://blog.jetstack.io/blog/kubernetes-1-3-hidden-gems/
https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
http://www.selinuxplus.com/?p=370
- Introduction to Seccomp: BPF linux syscall filter
- Introduction to guided filter
- tcpdump/libpcap与BPF与Linux(LPF-Linux Packet Filter)
- BPF socket filter
- proxychains挂了 最近因为seccomp prevented execution of syscall
- linux syscall
- libpcap BSD Packet Filter(BPF)
- Introduction to Linux
- Introduction to Linux
- An Introduction to the Extended Kalman Filter
- Introduction to gaussian filter 高斯滤波器
- How to reimplement (or wrap) a syscall function in linux?
- linux中的bpf封包
- Linux内核笔记 -- BPF
- Linux内核工程导论——网络:Filter(LSF、BPF、eBPF)
- Linux内核工程导论——网络:Filter(LSF、BPF、eBPF)
- ElasticSearch学习27_Elasticsearch启动时 unable to install syscall filter 问题说明
- bpf
- 理解贝叶斯(一)
- acpi bus 的scan
- 变脸式应用 - 进入与退出应用
- Java实例说明 100个线程同时向一个银行账户中存入1元钱,在没有使用同步机制和使用同步机制情况下的执行情况
- 树莓派2、3 介绍及点亮led灯
- Introduction to Seccomp: BPF linux syscall filter
- TClientDataSet的 fastscript封装
- LaTex语法学习-大括号公式编辑
- Mysql 时区修改问题(冬令时夏令时)
- Leet Code OJ 3. Longest Substring Without Repeating Characters
- eclipse错误及解决方法
- sRGB Color Space
- 利用UEditor进行上传图片、视频
- MYSQL explain详解