lockc
lockc copied to clipboard
lockc-project
Making containers more secure with eBPF and Linux Security Modules (LSM)
* [ ] Add a support of opentelemetry with https://crates.io/crates/opentelemetry * [ ] add metrics about newly observed containers * [ ] add Prometheus integration
https://github.com/Serinalice/fanotify-rs/ which we are using right now seems unmaintained and there was no reaction to our pull requests. Short term goal: * write our own module for fanotify in lockc...
After #57 is done, we need to monitor docker socket somehow to make sure that only root user applies lockc labels. No clear idea how to do that yet. Figuring...
For now we are using hash maps with strings to specify path prefixes, from which we can (or cannot) access files: https://github.com/rancher-sandbox/lockc/blob/05a94fae2396fbb1ae737df148f402cd3389018b/lockc/src/bpf/maps.h#L67-L113
We don't really need those uprobes anymore, as we have no runc wrapper anymore and we receive all container events (create, delete etc.) in the userspace daemon.
https://dagger.io/ provides nice features like creating kind clusters and using Kubernetes in your CI pipelines. For now, a requested early access is needed to use Dagger (I have it)
So far lockc just enforces policies. We should have a permissive mode which just logs denials.
After #107 is done We need to push a subset of events / traces to Prometheus.
Use perf ring buffer to push events about what decision wqas made form BPF programs to userspace **It's not just a log message! We need a proper struct/object**
Use https://crates.io/crates/opentelemetry to push out events we gathered with tracing depends on #106
Metadata
Owner
Metadata
Making containers more secure with eBPF and Linux Security Modules (LSM)