Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/grantseltzer/karn

Simplifying Seccomp enforcement in containerized or non-containerized apps
https://github.com/grantseltzer/karn

container-security containers karn seccomp seccomp-filter security security-hardening security-tools

Last synced: about 2 months ago
JSON representation

Simplifying Seccomp enforcement in containerized or non-containerized apps

Host: GitHub
URL: https://github.com/grantseltzer/karn
Owner: grantseltzer
License: mpl-2.0
Created: 2017-06-16T15:11:45.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2020-10-29T22:33:15.000Z (about 4 years ago)
Last Synced: 2024-06-18T22:56:31.134Z (7 months ago)
Topics: container-security, containers, karn, seccomp, seccomp-filter, security, security-hardening, security-tools
Language: Go
Homepage: https://www.grant.pizza/blog/karn/
Size: 3.49 MB
Stars: 110
Watchers: 5
Forks: 13
Open Issues: 9
Metadata Files:
- Readme: README.md
- Contributing: docs/CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

# Karn

Use Karn to enforce seccomp rules in your code. Select the entitlements that your application needs and not the ones it doesn't need!

karn

See [associated blog post](https://www.grant.pizza/blog/karn/)

## Table of Contents
* [How it Works](#how-it-works)
* [Entitlements](#entitlements)
* [Dependencies](#dependencies)
* [Quick Start](#quick-start)

## How it works

Seccomp is a security facility of the Linux kernel. It allows you to create filters for system calls on a process by process basis. For example, you can create a seccomp filter that would allow all system calls except for [chmod](http://man7.org/linux/man-pages/man2/fchmod.2.html). You can then load that filter into a running process. If the `chmod` system call is then used the kernel would return an error to your process which can handle it however it's programmed to.

Despite the power that seccomp provides, it's very difficult to use in practice. You must have deep knowledge of all system calls, and even then the task is daunting. This is where Karn comes in.

Karn uses entitlements to abstract away the need to know all the system calls your application will need. Getting started is as simple as familiarizing yourself with the entitlements Karn offers.

Karn's entitlements aren't quite allow or deny lists. The installed seccomp filter has a default action of 'Allow'. Meaning any unspecified system call in the filter will be allowed. On top of that, any Karn entitlement that is not specified will be Denied. This is to avoid superfluous blocking of obscure/harmless system calls.

Karn can be used for generating profiles for containers, or can be used as a library in your non-containerized application. See the quickstart guide below for more.

## Entitlements

See godoc [here](https://pkg.go.dev/github.com/grantseltzer/[email protected]/pkg/entitlements)

## Dependencies

See [docs/dependencies.md](./docs/dependencies.md)

## Quickstart

See [docs/quickstart.md](./docs/quickstart.md)