Go Makefile Shell Roff
Switch branches/tags
Nothing to show
Latest commit b3ae1d4 Nov 9, 2017 @GrantSeltzer GrantSeltzer Fix Makefile
Signed-off-by: GrantSeltzer <grant@capsule8.com>

README.md

KARN


Karn is an admin-friendly tool for creating OCI compliant seccomp and apparmor profiles. Originally proposed here as part of the Linux Container Hardening project.


Baseline functionality exists. At this point all possible filters and rules that you can manually express in seccomp and apparmor profiles can be created using karn.

What's left in terms of big goals is to write a set of standard implementation declarations. This will be a valuable tool. If you have a history writing seccomp/apparmor profiles, please contribute!

Check out the issues for things that are not yet implemented.


Table of contents

Goal

Create a simple permission scheme for easily securing containers. Developers can just specify what their container will need permission to do and this tool will output the corresponding seccomp and apparmor configurations. This can be thought of as iOS entitlements for containers!

How it works

Declarations - You can think of these as rule definitions. You define a declaration as corresponding to particular system calls, capabilities, FileSystem rules, Networking, and other security related rules. Each file will correspond to just a single declaration. Declartions should follow the naming convention of "_declaration.toml". Declarations are combined to generate seccomp and apparmor profiles. Here's a couple examples of what a declaration looks like:

dns_declaration.toml

[System-Calls]
Allow = [
       "sendto",
       "recvfrom",
       "socket",
       "connect"
]

chown_declaration.toml

[System-Calls]
Allow = [
       "chown",
       "chown32",
       "fchown",
       "fchown32",
       "fchownat",
       "lchown",
       "lchown32"
]

[Capabilities]
Allow = ["chown"] # CAP_CHOWN

These declarations should be stored in ~/.karn/declarations. To take these two declarations to form seccomp and apparmor profiles, one would simply enter karn generate chown dns. You can also pass a different declaration directory with the -d/--declarations flag.

Additional resources

  • system calls - the 'API' of the kernel
  • capabilities - a way of granting permissions
  • seccomp - a system call filtering facility
  • apparmor - a security facility for specifying various security rules such as capabilities
  • containers - linux processes that karn output can protect
  • toml - the language karn uses
  • contained.af - a CTF game meant to teach you about syscalls and capabilities

Contact developer

Questions/Concerns? Open an issue or email me - grant at capsule8.com