lockc
lockc is open source software for providing MAC (Mandatory Access Control) type of security audit for container workloads.
The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about the host OS and provide ways to “break out” from the container. lockc aims to provide more isolation to containers and make them more secure.
The Containers do not contain a documentation section that explains why we mean by that phrase and what kind of behavior we want to restrict with lockc.
The main technology behind lockc is eBPF – to be more precise, its ability to attach to LSM hooks
Architecture
The project consists of 3 parts:
- the set of BPF programs (written in C)
- programs for monitoring processes, which detects whether new processes are running inside any container, which means applying policies on them
- programs attached to particular LSM hooks, which allow or deny actions based on the policy applied to the container (currently all containers have the baseline policy applied, the mechanism of differentiating between policies per container/pod is yet to be implemented)
- lockcd – the userspace program (written in Rust)
- loads the BPF programs into the kernel, pins them in BPFFS
- monitors runc processes, registers new containers and determines which policy should be applied to a container
- in the future, it’s going to serve as the configuration manager and log collector
Install & Use
Copyright (C) 2022 lockc-project
