{"id":13521333,"url":"https://github.com/containers/oci-seccomp-bpf-hook","last_synced_at":"2025-05-16T06:02:19.091Z","repository":{"id":41469381,"uuid":"209999677","full_name":"containers/oci-seccomp-bpf-hook","owner":"containers","description":"OCI hook to trace syscalls and generate a seccomp profile","archived":false,"fork":false,"pushed_at":"2025-04-23T22:02:48.000Z","size":5199,"stargazers_count":323,"open_issues_count":6,"forks_count":38,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-05-14T02:42:59.318Z","etag":null,"topics":["bcc","containers","oci","seccomp-profile","syscalls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-21T14:31:03.000Z","updated_at":"2025-04-26T22:30:40.000Z","dependencies_parsed_at":"2024-05-09T22:23:56.871Z","dependency_job_id":"c3635dde-9308-45ac-8eaf-bb4fcfd2a675","html_url":"https://github.com/containers/oci-seccomp-bpf-hook","commit_stats":{"total_commits":199,"total_committers":19,"mean_commits":"10.473684210526315","dds":0.6984924623115578,"last_synced_commit":"51eaa377cefcd60a0126edccf07c8a6e710f49fe"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Foci-seccomp-bpf-hook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Foci-seccomp-bpf-hook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Foci-seccomp-bpf-hook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Foci-seccomp-bpf-hook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containers","download_url":"https://codeload.github.com/containers/oci-seccomp-bpf-hook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254478160,"owners_count":22077675,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bcc","containers","oci","seccomp-profile","syscalls"],"created_at":"2024-08-01T06:00:32.879Z","updated_at":"2025-05-16T06:02:19.005Z","avatar_url":"https://github.com/containers.png","language":"Go","funding_links":[],"categories":["Dependency intelligence","蓝队工具","Container Security Tools","Security"],"sub_categories":["云原生相关工具","Tools"],"readme":"[![Build Status](https://api.cirrus-ci.com/github/containers/oci-seccomp-bpf-hook.svg)](https://cirrus-ci.com/github/containers/oci-seccomp-bpf-hook/main)\n\n# oci-seccomp-bpf-hook\n\nThis project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would allow all the syscalls made and deny every other syscall.\n\nThe syscalls are traced by launching a binary by using the prestart OCI hook. The binary started spawns a child process which attaches function `enter_trace` to the `raw_syscalls:sys_enter` tracepoint using eBPF. The function looks at all the syscalls made on the system and writes the syscalls which have the same PID namespace as the container to the perf buffer. The perf buffer is read by the process in the userspace and generates a seccomp profile when the container exits.\n\nThere are a few limitations to this approach:\n\n* Needs `CAP_SYS_ADMIN` to run\n* Compiles C code on the fly\n* Cannot use `podman run --rm` along with this ability\n\nTo build it, we need extra dependencies namely bcc-devel and kernel-headers for Fedora and bcc-tools and linux-headers-[..] for Ubuntu.\n\nInterface:\n\n```bash\nsudo podman run --annotation io.containers.trace-syscall=\"if:[absolute path to the input file];of:[absolute path to the output file]\" IMAGE COMMAND\n```\n\nThe profile will be created at the output path provided to the annotation. Providing `of:` is mandatory, while `if:` is optional. An input file can be used to create a baseline and newly recorded syscalls will be added to the set and written to the output. If a syscall is blocked in the base profile, then it will remain blocked in the output file even if it is recorded while tracing.\n\nPlease refer to an article on [Enable Sysadmin](https://www.redhat.com/sysadmin/container-security-seccomp) for more details.\n\n`Copyright {2018-2022} {containers/oci-seccomp-bpf-hook maintainers}`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Foci-seccomp-bpf-hook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainers%2Foci-seccomp-bpf-hook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Foci-seccomp-bpf-hook/lists"}