-
Notifications
You must be signed in to change notification settings - Fork 15
YAML Profiles
Avi Lumelsky edited this page Dec 27, 2022
·
2 revisions
It is very convenient to specify all of you policies, for all of your 3rd party and open source modules, in a single YAML file.
- Generate a profile for your application using the tracing script.
- Create a YAML security profile from your trace.
- Build a sandbox (dtrace script) from the yaml file
- Run your app in your sandbox!
dtrace2) ➜ secimport git:(master) ✗ sudo dtrace -s src/secimport/templates/generate_profile.d -c "python -m http.server"
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
CTRL + C
Generated syscalls (yaml profile):
destructive: true
syscall_allowlist:
- __mac_syscall
- __pthread_canceled
- bind
- csrctl
- fgetattrlist
...
- read
- ioctl
- stat64
Done.After yout hit CTRL + C, after "Generated syscalls (yaml profile)", the YAML profile is printed.
An example for a template is available in example.yaml.
It should look like this:
# Example yaml file (with example syscalls)
modules:
requests:
destructive: true
syscall_allowlist:
- write
- ioctl
- stat64
fastapi:
destructive: true
syscall_allowlist:
- bind
- fchmod
- stat64
uvicorn:
destructive: true
syscall_allowlist:
- getpeername
- getpgrp
- stat64Save the output of dtrace into a local YAML file and proceed to step 3.
Usage:
python examples/create_profile_from_yaml.py <yaml_template_filename> <sandbox_target_filename>Example:
python examples/create_profile_from_yaml.py src/secimport/profiles/example.yaml /tmp/example.dOr, use the python API:
import secimport, pathlib
template_path = pathlib.Path(secimport.sandbox_helper.PROFILES_DIR_NAME / 'example.yaml')
sandbox_code = secimport.sandbox_helper.build_module_sandbox_from_yaml_template(template_path)sudo dtrace -s /tmp/example.d -c "python"And that's it!