Skip to content
/ cerber Public

A straightforward command line tool for generate seccomp json file

pypi.python.org/pypi/cerber
3 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

openuado/cerber

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
cerber
cerber
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
AUTHORS
AUTHORS
 
 
ChangeLog
ChangeLog
 
 
Pipfile
Pipfile
 
 
README.rst
README.rst
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 
tox.ini
tox.ini
 
 

Repository files navigation

Cerber

https://travis-ci.org/gr0und-s3ct0r/cerber.svg?branch=devel

A straightforward command line tool for generate seccomp json profile

Overview

Seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. Seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

Seccomp profile is used with by a lot of applications like:

  • docker
  • firefox
  • systemd
  • openssh
  • chrome
  • and more...

Cerber help you to generate seccomp profile that you can use with docker per example.

Prerequisites

  • Linux
  • Python3.5+
  • Strace

Install

$ pip install cerber

Usage

Generate a seccomp_profile.json in your current directory:

$ cerber docker run hello-world
$ ls
seccomp_profile.json
$ cat seccomp_profile.json
{
    "defaultAction": "SCMP_ACT_ERRNO",
    "architecture": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
    ],
    "syscalls": [
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "read"
        },
        ...
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "execve"
        },
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "arch_prctl"
        }
    ]
}

Now you can assign this seccomp profile to your container at run:

$ docker run \
--rm \
--security-opt="no-new-privileges" \
--security-opt seccomp=seccomp_profile.json \
hello-world # you can get the following output for docker hello world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
...
For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Becareful to generate seccomp profile with cerber on the same cpu architecture that your production environment (where you want run your container).

Features

  • detect syscalls
  • generate seccomp profile from detected syscalls

Contribute

$ git clone https://github.com/gr0und-s3ct0r/cerber
$ cd cerber
$ pipenv install pbr
$ pipenv shell # generate a virtual environment
$ python setup.py develop # install cerber in development mode
$ pip install -e .[test] # install testing dependencies
$ # make your changes
$ tox

Further readings

Original Authors

About

A straightforward command line tool for generate seccomp json file

pypi.python.org/pypi/cerber

Topics

python docker docker-container seccomp-json

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

3 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages