{"id":51298744,"url":"https://github.com/gprocunier/blastwall","last_synced_at":"2026-06-30T17:01:59.706Z","repository":{"id":355060550,"uuid":"1226600598","full_name":"gprocunier/blastwall","owner":"gprocunier","description":"SELinux, IdM, and AAP proof of concept for confining privileged automation and denying kernel exploit surfaces before jobs reach managed RHEL hosts.","archived":false,"fork":false,"pushed_at":"2026-05-25T01:36:49.000Z","size":1270,"stargazers_count":2,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T02:34:28.053Z","etag":null,"topics":["ansible","ansible-automation-platform","automation-security","bpf-lsm","calabi","copyfail","ebpf","eigenstate-ipa","exploit-mitigation","freeipa","idm","kernel-security","linux-security","openshift","privileged-automation","red-hat","rhel","security-hardening","selinux","selinux-policy"],"latest_commit_sha":null,"homepage":"https://blastwall.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gprocunier.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":"THREAT-MODEL.md","audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-01T15:53:16.000Z","updated_at":"2026-05-13T16:19:57.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/gprocunier/blastwall","commit_stats":null,"previous_names":["gprocunier/blastwall"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gprocunier/blastwall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Fblastwall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Fblastwall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Fblastwall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Fblastwall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gprocunier","download_url":"https://codeload.github.com/gprocunier/blastwall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gprocunier%2Fblastwall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34975672,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-automation-platform","automation-security","bpf-lsm","calabi","copyfail","ebpf","eigenstate-ipa","exploit-mitigation","freeipa","idm","kernel-security","linux-security","openshift","privileged-automation","red-hat","rhel","security-hardening","selinux","selinux-policy"],"created_at":"2026-06-30T17:01:56.163Z","updated_at":"2026-06-30T17:01:59.688Z","avatar_url":"https://github.com/gprocunier.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# blastwall\n\n`blastwall` is a proof of concept for privileged automation security on RHEL.\nThe idea is simple: automation should not arrive on managed hosts with the same\nunconfined local shape as a human operator. Red Hat Identity Management (IdM)\nshould decide who may run, Ansible Automation Platform (AAP) should act on that\nstate, and SELinux should confine the session when it reaches the host.\n\nThe first concrete target was the [`copy.fail`](https://copy.fail/) exploit\npath. The current proof also covers\n[`Dirty Frag`](https://github.com/V4bel/dirtyfrag), which was publicly\ndocumented on May 7, 2026 and relies on xfrm-ESP and RxRPC page-cache write\npaths. Anthony Green's\n[`block-copyfail`](https://github.com/atgreen/block-copyfail) shows the precise\nBPF LSM answer for that vulnerability. Blastwall takes a different angle: if a\nrisky kernel surface should be unavailable to privileged automation identities,\ncan that mitigation move through the same SELinux, IdM, AAP, and RHEL content\ndelivery model operators already understand?\n\nThat gives Blastwall a dual use. It can react to an unfixed CVE by denying a\nrisky surface for automation accounts before the whole fleet is patched. It can\nalso become proactive automation posture: a CI/CD-managed policy boundary that\noperators tighten over time as they learn what privileged automation should\nnever need to do.\n\nThis follows from the argument I made in\n[`privileged-automation-security`](https://gprocunier.github.io/privileged-automation-security/):\nautomation moves too quickly and too broadly to inherit every assumption we\nmake about an interactive privileged shell.\n\n## Start Here\n\nThe GitHub Pages site is the best entry point:\n[`gprocunier.github.io/blastwall`](https://gprocunier.github.io/blastwall/).\n\n| Need | Start With |\n| --- | --- |\n| Understand the 2-minute model | [`Architecture`](https://gprocunier.github.io/blastwall/architecture.html) |\n| Understand where policy comes from and how it is maintained | [`Day 2 Operations`](https://gprocunier.github.io/blastwall/day2-operations.html) |\n| Understand the OpenShift workload path | [`OpenShift/SPO`](https://gprocunier.github.io/blastwall/openshift-spo.html) |\n| Watch the operator-facing proof | [`AAP Demo`](https://gprocunier.github.io/blastwall/aap-demo.html) |\n| Inspect the bootstrap and host-local mechanics | [`Ansible Demo`](https://gprocunier.github.io/blastwall/demo.html) |\n| Reproduce the AAP recording | [`AAP Lab`](https://gprocunier.github.io/blastwall/quick-demo.html) |\n| Reproduce the Ansible-only proof | [`Ansible Lab`](https://gprocunier.github.io/blastwall/ansible-lab.html) |\n| Record the OpenShift/SPO proof | [`OpenShift/SPO Demo`](https://gprocunier.github.io/blastwall/openshift-spo-demo.html) |\n| Understand the IdM relationship model | [`IdM Control Model`](https://gprocunier.github.io/blastwall/idm-control-model.html) |\n| Understand the SELinux boundary | [`SELinux Control Model`](https://gprocunier.github.io/blastwall/selinux-control-model.html) |\n| Compare Blastwall with adjacent tools | [`Comparison`](https://gprocunier.github.io/blastwall/comparable-approaches.html) |\n| Review assumptions and attack paths | [`Threat Model`](https://gprocunier.github.io/blastwall/threat-model.html) |\n| Look up terms and acronyms | [`Glossary`](https://gprocunier.github.io/blastwall/glossary.html) |\n| Look up exact objects and expected outputs | [`Reference`](https://gprocunier.github.io/blastwall/reference.html) |\n\n## What It Proves\n\nBlastwall joins four responsibilities that are usually discussed separately:\n\n| Part | Role |\n| --- | --- |\n| SELinux | Enforces the host-local automation boundary. |\n| IdM | Records identity, host scope, HBAC, sudo, SELinux user maps, and host markers. |\n| `eigenstate.ipa` | Reads IdM state into inventory-visible facts. |\n| AAP | Launches workflows, runs preflight checks, selects suitable hosts, and records evidence. |\n\nThe recorded demos show that an automation identity can land in\n`blastwall_u:blastwall_r:blastwall_t:s0`, use sudo without escaping that\ndomain, and hit denied AF_ALG, BPF, packet_socket, userns, io_uring, xfrm, and\nRxRPC probes.\nThe userns denial is the clearest proactive posture example: user namespaces are\noften useful in exploit chains, and this automation identity has no expected\nreason to create them.\nThe AAP path also shows Controller-visible credential smoke, IdM inventory sync,\npreflight selection, workflow node status, and managed-host verification output.\n\n## Repository Map\n\n| Path | Purpose |\n| --- | --- |\n| `policy/` | SELinux reference-policy module and CIL deny rule. |\n| `openshift/spo/` | Security Profiles Operator profile, SCC, RBAC, examples, and UBI-based validation harness for OpenShift workloads. |\n| `idm/` | IdM group, hostgroup, HBAC, sudo, and SELinux user-map examples. |\n| `inventory/` | `eigenstate.ipa.idm` inventory source for AAP. |\n| `playbooks/` | Preflight, deployment, credential smoke, and verification playbooks. |\n| `aap/` | Controller configuration-as-code for the AAP workflow. |\n| `execution-environment/` | AAP execution environment definition. |\n| `poc-calabi/` | Calabi lab overlay used to record and replay the proof. |\n| `docs/` | GitHub Pages documentation and recordings. |\n\n## Requirements\n\n- RHEL or compatible hosts with SELinux enforcing.\n- IdM/FreeIPA for identity, HBAC, sudo, SELinux user mapping, and host markers.\n- AAP/Automation Controller for the Controller-based workflow.\n- OpenShift with Security Profiles Operator for the OpenShift workload path.\n- [`eigenstate.ipa`](https://gprocunier.github.io/eigenstate-ipa/) for\n  inventory-aware IdM state.\n- Ansible collection dependencies from `collections/requirements.yml`.\n\nInstall collection dependencies with:\n\n```bash\nansible-galaxy collection install -r collections/requirements.yml\n```\n\n## Documentation Shape\n\nThe docs intentionally separate reader needs:\n\n- `architecture.html` explains the control chain and authority boundaries.\n- `day2-operations.html` explains where policy comes from, how operators build\n  a baseline disposition, and how new CVEs become tested deny scopes.\n- `openshift-spo.html` explains the OpenShift workload confinement path with\n  Security Profiles Operator, SCC selection, and safe node validation.\n- demo pages explain what the recordings prove.\n- lab pages guide replay from a prepared environment.\n- comparison and threat-model pages review scope fit, assumptions, attack\n  paths, and residual risk.\n- glossary and reference pages define terms, exact objects, and expected\n  outputs.\n\nThat split keeps the landing page and README from becoming a maze of setup\nsteps, architecture debate, and term definitions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgprocunier%2Fblastwall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgprocunier%2Fblastwall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgprocunier%2Fblastwall/lists"}