/karn

A simple and easy to use linux security profile generator
  1. Go 89.3%
  2. Makefile 6.0%
  3. Roff 4.7%
Go Makefile Roff

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Download ZIP
Find file
Switch branches/tags
Nothing to show
Latest commit 27a7ce7 Jul 18, 2017 @GrantSeltzer add comments 
Signed-off-by: grantseltzer <grant@capsule8.com>
Permalink
Failed to load latest commit information.
cli code cleanup Jul 16, 2017
dist clean up top level dir Jun 26, 2017
examples/declarations update spec to take into account appaparmor gen functionality Jul 12, 2017
parse add comments Jul 19, 2017
vendor/github.com switch over to dep Jul 16, 2017
.gitignore Create .gitignore Jun 18, 2017
Gopkg.lock switch over to dep Jul 16, 2017
Gopkg.toml switch over to dep Jul 16, 2017
LICENSE Create LICENSE Jun 18, 2017
Makefile add apparmor output functionality Jul 16, 2017
README.md update README.md Jul 16, 2017
karn.1 update man page Jul 16, 2017
karn.1.gz update man page Jul 16, 2017
main.go get generate cli command hooked up correctly Jul 1, 2017

README.md

KARN

Karn is an admin-friendly tool for creating seccomp and apparmor profiles. Originally proposed here as part of the Linux Container Hardening project.

STATUS: alpha

Baseline functionality exists. Support for specific seccomp arguments is also not yet supported (but will be soon).

Check out the issues for things that are not yet implemented.

Goal

Create a simple permission scheme for easily securing containers. Developers can just specify what their container will need permission to do and this tool will output the corresponding seccomp and apparmor configurations. This can be thought of as iOS entitlements for containers!

How it works

Declarations - You can think of these as rule definitions. You define a declaration as corresponding to particular system calls, capabilities, FileSystem rules, Networking, and other security related rules. Each file will correspond to just a single declaration. Declartions should follow the naming convention of "_declaration.toml". Declarations are combined to generate seccomp and apparmor profiles. Here's a couple examples of what a declaration looks like:

dns_declaration.toml

[System-Calls]
Allow = [
       "sendto",
       "recvfrom",
       "socket",
       "connect"
]

chown_declaration.toml

[System-Calls]
Allow = [
       "chown",
       "chown32",
       "fchown",
       "fchown32",
       "fchownat",
       "lchown",
       "lchown32"
]

[Capabilities]
Allow = ["chown"] # CAP_CHOWN

These declarations should be stored in ~/.karn/declarations. To take these two declarations to form seccomp and apparmor profiles, one would simply enter karn generate chown dns. You can also pass a different declaration directory with the -d/--declarations flag.

Resources

  • system calls - the 'API' of the kernel
  • capabilities - a way of granting permissions
  • seccomp - a system call filtering facility
  • apparmor - a security facility for specifying various security rules such as capabilities
  • containers - linux processes that karn output can protect
  • toml - the language karn uses
  • contained.af - a CTF game meant to teach you about syscalls and capabilities

Questions/Concerns? Open an issue or email me - grant at capsule8.com