seitan is a framework to filter, transform and impersonate system calls,
enabling privilege reduction in container and virtualisation engines
It allows you to filter and replay only the system calls you need, instead of
running things as root, or granting capabilities to processes.
seitan-cooker
builds a BPF program and a
bytecode file (gluten) from a recipe with matches on system calls and
corresponding actions
seitan-eater
loads the BPF program
associated to the process context into the kernel, and runs the target
process. Container engines such as Podman can directly load this program via
OCI annotations instead
seitan
is the supervisor, getting
notifications via seccomp_unotify
,
interpreting them according to gluten, and triggering the configured
actions as a result
Note that this project and its documentation still have some rough edges! No versions, no packages yet.
Do you want to know more?
Watch the
demos below, ask your questions on the
users'
list,
chat with us.
Do you want to contribute?
Send patches to the development
list...
and chat with us!