Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lockc-project/lockc

Making containers more secure with eBPF and Linux Security Modules (LSM)
https://github.com/lockc-project/lockc

containers ebpf kubernetes lsm lsm-hooks security

Last synced: 5 days ago
JSON representation

Making containers more secure with eBPF and Linux Security Modules (LSM)

Host: GitHub
URL: https://github.com/lockc-project/lockc
Owner: lockc-project
License: apache-2.0
Created: 2021-04-22T21:10:52.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-05-11T07:10:24.000Z (over 1 year ago)
Last Synced: 2024-05-23T07:44:27.521Z (6 months ago)
Topics: containers, ebpf, kubernetes, lsm, lsm-hooks, security
Language: Rust
Homepage: https://lockc-project.github.io/
Size: 2.43 MB
Stars: 207
Watchers: 7
Forks: 20
Open Issues: 24
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-rust-cloud-native - rancher-sandbox/lockc - based MAC security audit for container workloads (Uncategorized / Uncategorized)

README

        ![lockc](https://raw.githubusercontent.com/lockc-project/assets/main/logo-horizontal-lockc.png)

[![Crate](https://img.shields.io/crates/v/lockc)](https://crates.io/crates/lockc)

[![Book](https://img.shields.io/website?url=https%3A%2F%2Flockc-project.github.io%2Flockc%2F)](https://lockc-project.github.io/lockc/)

[![Discord](https://img.shields.io/discord/874314181191565453?label=discord&logo=discord)](https://discord.gg/799cmsYB4q)

[![Docs](https://docs.rs/lockc/badge.svg)](https://docs.rs/lockc/)

[![Build Status](https://github.com/lockc-project/lockc/actions/workflows/rust.yml/badge.svg)](https://github.com/lockc-project/lockc/actions/workflows/rust.yml)

**lockc** is open source sofware for providing MAC (Mandatory Access Control)

type of security audit for container workloads.

The main reason why **lockc** exists is that **containers do not contain**.

Containers are not as secure and isolated as VMs. By default, they expose

a lot of information about host OS and provide ways to "break out" from the

container. **lockc** aims to provide more isolation to containers and make them

more secure.

The [Containers do not contain](https://lockc-project.github.io/book/containers-do-not-contain.html)

documentation section explains what we mean by that phrase and what kind of

behavior we want to restrict with **lockc**.

The main technology behind lockc is [eBPF](https://ebpf.io/) - to be more

precise, its ability to attach to [LSM hooks](https://docs.kernel.org/bpf/prog_lsm.html)

Please note that currently lockc is an experimental project, not meant for

production environment and without any official binaries or packages to use -

currently the only way to use it is building from sources.

See [the full documentation here](https://lockc-project.github.io/).

And [the code documentation here](https://docs.rs/lockc/).

If you need help or want to talk with contributors, plese come chat with us

on `#lockc` channel on the [Rust Cloud Native Discord server](https://discord.gg/799cmsYB4q).

**lockc's** userspace part is licensed under [Apache License, version 2.0](https://github.com/lockc-project/lockc/blob/main/LICENSE).

eBPF programs inside [lockc/src/bpf directory](https://github.com/lockc-project/lockc/tree/main/lock-ebpf)

are licensed under [GNU General Public License, version 2](https://github.com/lockc-project/lockc/blob/main/lockc-ebpf/LICENSE).