diff options
| -rw-r--r-- | README.md | 103 |
1 files changed, 64 insertions, 39 deletions
@@ -4,42 +4,67 @@ Copyright (c) 2023 Red Hat GmbH Author: Stefano Brivio <sbrivio@redhat.com> --> -<style> -.markdown-body { - display: block; - font-family: Roboto Mono, monospace; - font-weight: 200; - font-size: 13pt; - line-height: 1.5; -} - -div > ul { - float: left; -} -</style> - -<img src="/static/seitan.svg" alt="seitan diagram" - style="object-fit: contain; width: 50%; float: left"> - -* **build-filter** - * build BPF binary-search tree - -* **build-table** - * build transformation table - -* **seitan-eater** - * load BPF blob - * attach filter - * call blocking syscall - * on return, start binary - -* **seitan** - * load transformation table blob - * listen to netlink proc connector - * look for seitan-eater, once found: - * get seccomp notifier via pidfd_getfd() - * listen to it, new syscall: - * look up in transformation table - * load args from memory - * execute transformation, unblock, or block - * return, optionally injecting context +<link rel="stylesheet" type="text/css" href="/static/asciinema-player.css" /> +<script src="/static/asciinema-player.min.js"></script> + +## *seitan* was at [DevConf.CZ 2023](https://devconfcz2023.sched.com/event/1MYkc/seitan-a-plant-based-recipe-against-syscall-anxiety)! Check out the [slides](https://seitan.rocks/static/seitan_devconf_2023.pdf) and the [recording](https://seitan.rocks/static/seitan_devconf_2023.webm) + +<div style="display: grid; grid-template-columns: 60% auto;"> +<div> + <img src="/static/seitan.svg" alt="seitan diagram"> +</div> +<div style="text-align: justify"> + +<h2> +<i>seitan</i> is a framework to filter, transform and impersonate system calls, +enabling privilege reduction in container and virtualisation engines +</h2> + +It allows you to filter and replay only the system calls you need, instead of +running things as root, or granting capabilities to processes. + +<ul> +<li><pre style="display: inline">seitan-cooker</pre> builds a BPF program and a + bytecode file (<i>gluten</i>) from a recipe with matches on system calls and + corresponding actions</li> +<li><pre style="display: inline">seitan-eater</pre> loads the BPF program + associated to the process context into the kernel, and runs the target + process. Container engines such as Podman can directly load this program via + OCI annotations instead</li> +<li><pre style="display: inline">seitan</pre> is the supervisor, getting + notifications via <pre style="display: inline">seccomp_unotify</pre>, + interpreting them according to <i>gluten</i>, and triggering the configured + actions as a result</li> +</ul> + +<h5>Note that this project and its documentation still have some rough edges! No versions, no packages yet.</h5> + +<h4>Do you want to know more?</h4> +Watch the <a href="#demo-handle-and-impersonate-connect-of-a-target-process-in-several-ways">demos</a> below, ask your questions on the +users' +<a href="https://lists.seitan.rocks/postorius/lists/seitan-user.seitan.rocks/">list</a>, +<a href="https://matrix.to/#/#seitan:libera.chat">chat</a> with us. + +<h4>Do you want to contribute?</h4> +Send patches to the development +<a href="https://lists.seitan.rocks/postorius/lists/seitan-dev.seitan.rocks/">list</a>... +<u><b>and</b></u> <a href="https://matrix.to/#/#seitan:libera.chat">chat</a> with us! + +</div> +</div> + +## Demo: handle and impersonate `connect()` of a target process in several ways + +<div id="demo_connect" style="width: 99%;"></div> + +## Demo: issue `mknod()` on behalf of a Podman container + +<div id="demo_mknod" style="width: 99%;"></div> +<script> +AsciinemaPlayer.create('/static/seitan-connect.cast', + document.getElementById('demo_connect'), + { cols: 112, rows: 24, preload: true, poster: 'npt:0:2' }); +AsciinemaPlayer.create('/static/seitan-mknod.cast', + document.getElementById('demo_mknod'), + { cols: 112, rows: 24, preload: true, poster: 'npt:0:2' }); +</script> |