Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
150 lines (124 sloc) 3.14 KB

Quick Start

Library

Let's say you're writing a simple HTTP webserver in go:

package main

import (
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/", HelloServer)
    http.ListenAndServe(":8080", nil)
}

func HelloServer(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "I can modprobe if you exploit me, %s!", r.URL.Path[1:])
}

This program just handles incoming HTTP requests on a network sockets. I didn't include anything exploitable here for simplicity but try to imagine the possibility of an application vulnerablity.

The only relevant sounding entitlement is NetworkConnection. Let's apply it:

package main

import (
    "fmt"
    "net/http"
    Karn "github.com/grantseltzer/Karn/go/pkg/entitlements"
)

func main() {

    neededEntitlements := []Karn.Entitlement{
        "NetworkConnection"
    }

    err := Karn.ApplyEntitlements(neededEntitlements)
    if err != nil {
        log.Fatal(err)
    }

    http.HandleFunc("/", HelloServer)
    http.ListenAndServe(":8080", nil)
}

func HelloServer(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "I can modprobe if you exploit me, %s!", r.URL.Path[1:])
}

From here you wouldn't notice any difference in your applications runtime, except now it has a lot less system calls that it can use!

Containers

Let's use the same example as above. This time, we're running the application inside a container. In that case it's better to pass a seccomp profile to the container runtime instead of inside the application. This way the seccomp rules will be applied to every process inside the container.

We can build the karn CLI with a simple make.

From there, we're going to create the profile and then pass it with the container when we start it.

[*] ./bin/karn network_connection > seccomp_profile.json

[*] cat seccomp_profile
{
 "defaultAction": "SCMP_ACT_ALLOW",
 "architectures": [
  "SCMP_ARCH_X86",
  "SCMP_ARCH_X86_64"
 ],
 "syscalls": [
  {
   "names": [
    "adjtimex",
    "clock_adjtime",
    "clock_settime",
    "settimeofday",
    "stime",
    "pivot_root",
    "kexec_file_load",
    "kexec_load",
    "ioperm",
    "iopl",
    "quotactl",
    "execve",
    "execveat",
    "fork",
    "vfork",
    "swapon",
    "swapoff",
    "mount",
    "umount",
    "umount2",
    "sysfs",
    "_sysctl",
    "personality",
    "ustat",
    "nfsservctl",
    "vm86",
    "uselib",
    "vm86old",
    "reboot",
    "add_key",
    "request_key",
    "keyctl",
    "unshare",
    "setns",
    "mknod",
    "get_mempolicy",
    "set_mempolicy",
    "move_pages",
    "mbind",
    "acct",
    "ptrace",
    "lookup_dcookie",
    "bpf",
    "perf_event_open",
    "process_vm_readv",
    "process_vm_writev",
    "create_module",
    "delete_module",
    "finit_module",
    "get_kernel_syms",
    "init_module",
    "query_module",
    "chown",
    "fchown",
    "fchownat",
    "lchown"
   ],
   "action": "SCMP_ACT_ERRNO"
  }
 ]
}

[*] docker build # (building your container with your application)

[*] docker run --rm -d --security-opt seccomp=./seccomp_profile.json <your_image> <you_app_command_line>
You can’t perform that action at this time.