-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
falco plugin: add instructions how to build and use it
Signed-off-by: Alban Crequy <[email protected]>
- Loading branch information
Showing
8 changed files
with
124 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
*.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# seccompagent Falco plugin | ||
|
||
## Build the plugin standalone | ||
|
||
``` | ||
make -C falco-plugin | ||
ls -l falco-plugin/libseccompagent.so | ||
``` | ||
|
||
## Build a Falco container image with the plugin | ||
|
||
``` | ||
export CONTAINER_REPO=${USER}test.azurecr.io/falco-with-seccompagent | ||
export TAG=$CONTAINER_REPO:dev | ||
docker build -f falco-plugin/Dockerfile -t $TAG . | ||
docker push $TAG | ||
``` | ||
|
||
## Run Falco with the plugin | ||
|
||
Start Falco in a container as previously compiled: | ||
``` | ||
docker run --rm -i -t \ | ||
--privileged \ | ||
-v /var/run/docker.sock:/host/var/run/docker.sock \ | ||
-v /run/seccomp-agent-falco-plugin:/run/seccomp-agent-falco-plugin \ | ||
-v /proc:/host/proc:ro \ | ||
$TAG falco --modern-bpf | ||
``` | ||
|
||
Start the Seccomp Agent: | ||
``` | ||
sudo ./seccompagent -resolver=falco -log trace | ||
``` | ||
|
||
Launch a container and run a command: | ||
``` | ||
$ docker run --rm -it \ | ||
--security-opt \ | ||
seccomp=falco-plugin/seccomp-profile-demo.json \ | ||
busybox | ||
/ # mkdir /a | ||
``` | ||
|
||
Falco logs the following: | ||
``` | ||
Notice The seccomp agent detected a mkdir... | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
- name: seccompagent | ||
library_path: libseccompagent.so | ||
init_config: | ||
socketFile: /run/seccomp-agent-falco-plugin/seccomp-agent-falco-plugin.sock | ||
flushInterval: 30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"defaultAction": "SCMP_ACT_ALLOW", | ||
"architectures": [ | ||
"SCMP_ARCH_X86_64" | ||
], | ||
"listenerPath": "/run/seccomp-agent.socket", | ||
"listenerMetadata": "MIDDLEWARE=falco", | ||
"syscalls": [ | ||
{ | ||
"action": "SCMP_ACT_NOTIFY", | ||
"names": [ | ||
"mkdir" | ||
] | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters