oci-seccomp-bpf-hook(1)

1oci-seccomp-bpf-hook(1)(--)          hook          oci-seccomp-bpf-hook(1)(--)
2
3
4

SYNOPSIS

6       oci-seccomp-bpf-hook prestart [container.json]
7
8

DESCRIPTION

10       The oci hook oci-seccomp-bpf-hook generates seccomp profiles by tracing
11       the syscalls  made  by  the  container.  The  generated  profile  would
12       whitelist all the syscalls made and blacklist all other syscall.
13
14
15       The  syscalls  are  traced by launching a binary using the OCI prestart
16       hook. The binary spawns a child process which attaches the function en‐
17       ter_trace to the raw_syscalls:sys_enter tracepoint using eBPF. The hook
18       buffers all syscalls made by processes within the PID namespace of  the
19       container.   When  the container exits, the hook writes out the seccomp
20       profile using all of the syscalls stored in the buffer.
21
22
23       There are a few limitations to this approach:
24
25
26       Requires:
27
28
29              Root privileges (CAP_SYS_ADMIN).  Hook will not work with rootless containers.
30
31              The bcc tool chain and kernel-headers to run. BPF programs must be compiled before running to match the current kernel.
32
33              A container engine that supports OCI Hooks.
34
35
36
37       Annotation:
38
39
40              The oci-seccomp-bpf-hook requires the container be run with the annotation `io.containers.trace-syscall=`. It must include an output file parameter `of:[output file]` This output file must be a absolute path.
41
42              Optionally you can include an input file parameter `if:[input file]` pointing to a previously generated seccomp profile file.  This input file must also be an absolute path.  If specified the oci-seccomp-bpf-hook will read in the input seccomp profile and preload the list of syscalls.
43
44              The profile will be created at the output path provided to the annotation. An input file can be used to create a baseline and newly recorded syscalls will be added to the set and written to the output. If a syscall is blocked in the base profile, then it will remain blocked in the output file even if it is recorded while tracing.
45
46              This annotation can be used directly via container engines like Podman or passed into the container engine by Kubernetes.
47
48
49

EXAMPLES

51       sudo podman run --annotation  io.containers.trace-syscall="of:/tmp/sec‐
52       comp-new.json" IMAGE COMMAND
53
54
55       sudo  podman run --annotation io.containers.trace-syscall="if:/tmp/sec‐
56       comp-origin.json;of:/tmp/seccomp-new.json" IMAGE COMMAND
57
58

FILES

60       OCI hook configuration file for prestart
61
62
63       /usr/share/containers/oci/hooks.d/oci-seccomp-bpf-hook.json
64
65
66       /etc/containers/oci/hooks.d/oci-seccomp-bpf-hook.json (Override)
67
68

AUTHORS

74       Divyansh    Kamboj    kambojdivyansh2000@gmail.com    ⟨mailto:kambojdi‐
75       vyansh2000@gmail.com⟩
76
77
78       Valentin Rothberg vrothberg@redhat.com ⟨mailto:vrothberg@redhat.com⟩
79
80
81       Dan Walsh dwalsh@redhat.com ⟨mailto:dwalsh@redhat.com⟩
82
83
84
85systemd                               OCI          oci-seccomp-bpf-hook(1)(--)

SYNOPSIS

DESCRIPTION

EXAMPLES

FILES

SEE ALSO

AUTHORS