Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Podman team is interested in this tool or something similar. #1

Open
rhatdan opened this issue Oct 22, 2020 · 1 comment
Open

Podman team is interested in this tool or something similar. #1

rhatdan opened this issue Oct 22, 2020 · 1 comment

Comments

@rhatdan
Copy link

rhatdan commented Oct 22, 2020

We would like to add this functionality similar to oci-seccomp-bpf-hook and allow users to gather this information about capabilities as well as syscalls.

We kind of like the idea of learning mode, where the container can run in production mode for a few months gathering all of the capabilities. Once users are happy with the container, then they can switch it to enforcing mode, and only allow the previously gathered capabilities (or syscalls). Now I would want to keep the scanner going to watch for failed capabilities.

I even think this would be a good debugging code to allow users to figure out why a container is getting permission denied.

Currently seccomp and SELinux at least print messages in the audit.log when something is denied, there is no such mechanism for Capabilities.

Where is the output of this tool written, can you run it in permissive mode?

@rhatdan
Copy link
Author

rhatdan commented Oct 22, 2020

@vrothberg PTAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant