KARN
Karn is an admin-friendly tool for creating seccomp and apparmor profiles. Originally proposed here as part of the Linux Container Hardening project.
STATUS: alpha
Baseline functionality exists. Support for specific seccomp arguments is also not yet supported (but will be soon).
Check out the issues for things that are not yet implemented.
Goal
Create a simple permission scheme for easily securing containers. Developers can just specify what their container will need permission to do and this tool will output the corresponding seccomp and apparmor configurations. This can be thought of as iOS entitlements for containers!
How it works
Declarations - You can think of these as rule definitions. You define a declaration as corresponding to particular system calls, capabilities, FileSystem rules, Networking, and other security related rules. Each file will correspond to just a single declaration. Declartions should follow the naming convention of "_declaration.toml". Declarations are combined to generate seccomp and apparmor profiles. Here's a couple examples of what a declaration looks like:
dns_declaration.toml
[System-Calls]
Allow = [
"sendto",
"recvfrom",
"socket",
"connect"
]
chown_declaration.toml
[System-Calls]
Allow = [
"chown",
"chown32",
"fchown",
"fchown32",
"fchownat",
"lchown",
"lchown32"
]
[Capabilities]
Allow = ["chown"] # CAP_CHOWN
These declarations should be stored in ~/.karn/declarations. To take these two declarations to form seccomp and apparmor profiles, one would simply enter karn generate chown dns. You can also pass a different declaration directory with the -d/--declarations flag.
Resources
- system calls - the 'API' of the kernel
- capabilities - a way of granting permissions
- seccomp - a system call filtering facility
- apparmor - a security facility for specifying various security rules such as capabilities
- containers - linux processes that karn output can protect
- toml - the language karn uses
- contained.af - a CTF game meant to teach you about syscalls and capabilities
Questions/Concerns? Open an issue or email me - grant at capsule8.com