From 6c8302e779fc70367fe396843d8491d2aec09eb3 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Thu, 15 Jun 2023 13:29:57 +0200 Subject: README --- README.md | 103 ++++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 64 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index b23e2e8..5288678 100644 --- a/README.md +++ b/README.md @@ -4,42 +4,67 @@ Copyright (c) 2023 Red Hat GmbH Author: Stefano Brivio --> - - -seitan diagram - -* **build-filter** - * build BPF binary-search tree - -* **build-table** - * build transformation table - -* **seitan-eater** - * load BPF blob - * attach filter - * call blocking syscall - * on return, start binary - -* **seitan** - * load transformation table blob - * listen to netlink proc connector - * look for seitan-eater, once found: - * get seccomp notifier via pidfd_getfd() - * listen to it, new syscall: - * look up in transformation table - * load args from memory - * execute transformation, unblock, or block - * return, optionally injecting context + + + +## *seitan* was at [DevConf.CZ 2023](https://devconfcz2023.sched.com/event/1MYkc/seitan-a-plant-based-recipe-against-syscall-anxiety)! Check out the [slides](https://seitan.rocks/static/seitan_devconf_2023.pdf) and the [recording](https://seitan.rocks/static/seitan_devconf_2023.webm) + +
+
+ seitan diagram +
+
+ +

+seitan is a framework to filter, transform and impersonate system calls, +enabling privilege reduction in container and virtualisation engines +

+ +It allows you to filter and replay only the system calls you need, instead of +running things as root, or granting capabilities to processes. + +
    +
  • seitan-cooker
    builds a BPF program and a + bytecode file (gluten) from a recipe with matches on system calls and + corresponding actions
  • +
  • seitan-eater
    loads the BPF program + associated to the process context into the kernel, and runs the target + process. Container engines such as Podman can directly load this program via + OCI annotations instead
  • +
  • seitan
    is the supervisor, getting + notifications via
    seccomp_unotify
    , + interpreting them according to gluten, and triggering the configured + actions as a result
  • +
+ +
Note that this project and its documentation still have some rough edges! No versions, no packages yet.
+ +

Do you want to know more?

+Watch the demos below, ask your questions on the +users' +list, +chat with us. + +

Do you want to contribute?

+Send patches to the development +list... +and chat with us! + +
+
+ +## Demo: handle and impersonate `connect()` of a target process in several ways + +
+ +## Demo: issue `mknod()` on behalf of a Podman container + +
+ -- cgit v1.2.3