feat: add seccomp profiler (#181)

* feat: add seccomp profiler

* chore: copy synthetics repo into seccomp docker image

minor clean ups

.gitignore

@@ -111,3 +111,4 @@ tmp
 __tests__/e2e/tmp/
 
 .idea/
+seccomp/build

seccomp/.dockerignore

@@ -0,0 +1,106 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# Next.js build output
+.next
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and *not* Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+tmp
+
+# Vim temp files
+*.swp

seccomp/Dockerfile

@@ -0,0 +1,14 @@
+FROM mcr.microsoft.com/playwright
+
+USER root
+RUN apt-get update
+RUN apt-get -y install rsyslog
+
+RUN apt-get -y install golang
+RUN go get github.com/elastic/go-seccomp-bpf github.com/elastic/go-ucfg/yaml
+
+COPY ./ /home/synthetics
+WORKDIR /home/synthetics
+
+RUN npm install
+RUN npm run build

seccomp/docker-compose.yml

@@ -0,0 +1,13 @@
+version: "3.7"
+services:
+  seccomp-profiler:
+    build:
+      context: ../
+      dockerfile: seccomp/Dockerfile
+    working_dir: /home/synthetics/seccomp
+    command: bash -c "sh /home/synthetics/seccomp/profile.sh"
+    stdin_open: true
+    tty: true
+    privileged: true
+    volumes:
+      - ./:/home/synthetics/seccomp/

seccomp/parse-syslog.js

@@ -0,0 +1,78 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2020-present, Elastic NV
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ */
+
+/* eslint-disable @typescript-eslint/no-var-requires */
+const fs = require('fs');
+const syscallTable = require('./x86_64_table.json');
+
+const syslogFile = process.argv[2] || './syslog';
+
+console.log(`# Seccomp profile generated from ${syslogFile}`);
+console.log(`
+seccomp:
+  default_action: errno
+  syscalls:
+`);
+const data = fs.readFileSync(syslogFile, 'UTF-8');
+const lines = data.split(/\r?\n/);
+
+const parseLine = line => {
+  const tuples = line.split(' ');
+  const log = {};
+  tuples.forEach(tuple => {
+    const parts = tuple.split('=');
+    log[parts[0]] = parts[1];
+  });
+  return log;
+};
+
+const seccomp = {};
+
+lines.forEach(line => {
+  const { syscall, exe } = parseLine(line);
+  if (syscall && exe) {
+    if (!seccomp[exe]) {
+      seccomp[exe] = {};
+    }
+    if (!seccomp[exe][syscall]) {
+      seccomp[exe][syscall] = syscallTable[syscall] || syscall;
+    }
+  }
+});
+
+for (const key in seccomp) {
+  if (seccomp.hasOwnProperty(key)) {
+    const syscalls = seccomp[key];
+    console.log(`  - \n  # ${key}`);
+    console.log(`    action: allow`);
+    console.log(`    names:`);
+    for (const k in syscalls) {
+      if (syscalls.hasOwnProperty(k)) {
+        const syscall = syscalls[k];
+        console.log(`    - ${syscall} #${k}`);
+      }
+    }
+  }
+}

seccomp/profile.sh

@@ -0,0 +1,16 @@
+# TODO: use docker syslog driver instead
+service rsyslog start
+# npm run build
+
+go build -o ./build/seccomp_exec seccomp_exec.go
+
+node ../dist/browser-service.js &
+tail -f /var/log/syslog > ./build/syslog &
+
+./build/seccomp_exec -policy=./seccomp_log_agent.yml node ../dist/cli.js ../examples/todos --ws-endpoint=ws://localhost:9322
+
+./build/seccomp_exec -policy=./seccomp_log_agent.yml cat ../examples/inline/sample-inline-journey.js | node ../dist/cli.js --inline --ws-endpoint=ws://localhost:9322
+
+service rsyslog stop
+
+node parse-syslog.js ./build/syslog > synthetics_agent_profile.yml

seccomp/seccomp_agent_runtime.yml

@@ -0,0 +1,32 @@
+# Seccomp profile generated from ./build/syslog
+
+seccomp:
+  default_action: errno
+  syscalls:
+  - 
+    action: allow
+    names:
+      - clock_gettime
+  -
+    # "/usr/bin/node"
+    action: allow
+    names:
+      - read #0
+      - write #1
+      - close #3
+      - mprotect #10
+      - writev #20
+      - getpid #39
+      - epoll_wait #232
+      - epoll_ctl #233
+      - openat #257
+      - statx #332
+  -
+    # "/home/synthetics/seccomp/seccomp_exec"
+    action: allow
+    names:
+      - rt_sigprocmask #14
+      - getpid #39
+      - clone #56
+      - newfstatat #262
+      - pipe2 #293

seccomp/seccomp_agent_static_analysis.yml

@@ -0,0 +1,105 @@
+seccomp:
+  default_action: log
+  syscalls:
+  - names:
+    - stat #4
+    - mprotect #10
+    - brk #12
+    - access #21
+    - socket #41
+    - connect #42
+    - bind #49
+    - getsockname #51
+    - gettimeofday #96
+    - getuid #102
+    - getgid #104
+    - geteuid #107
+    - getegid #108
+    - set_tid_address #218
+    - clock_gettime #228
+    - epoll_wait #232
+    - set_robust_list #273
+    - prlimit64 #302
+    - statx #332
+    action: allow
+  - names:
+    - accept
+    - accept4
+    - arch_prctl
+    - capget
+    - capset
+    - chdir
+    - chroot
+    - clone
+    - close
+    - copy_file_range
+    - dup
+    - dup2
+    - dup3
+    - epoll_create
+    - epoll_create1
+    - epoll_ctl
+    - epoll_pwait
+    - execve
+    - exit
+    - exit_group
+    - fchdir
+    - fchmod
+    - fchown
+    - fcntl
+    - fstat
+    - fsync
+    - ftruncate
+    - futex
+    - getdents64
+    - getpid
+    - getsockopt
+    - gettid
+    - ioctl
+    - kill
+    - lseek
+    - madvise
+    - mincore
+    - mlock
+    - mmap
+    - mount
+    - munmap
+    - nanosleep
+    - newfstatat
+    - openat
+    - pipe
+    - pipe2
+    - prctl
+    - pread64
+    - ptrace
+    - pwrite64
+    - read
+    - readlinkat
+    - recvfrom
+    - recvmsg
+    - rt_sigaction
+    - rt_sigprocmask
+    - rt_sigreturn
+    - sched_getaffinity
+    - sched_yield
+    - seccomp
+    - sendmsg
+    - sendto
+    - setgid
+    - setgroups
+    - setitimer
+    - setpgid
+    - setsid
+    - setsockopt
+    - setuid
+    - shutdown
+    - sigaltstack
+    - tgkill
+    - uname
+    - unshare
+    - wait4
+    - waitid
+    - write
+    - writev
+    action: allow
+