eBPF Python runtime sandbox with seccomp (Blocks RCE).
MIT License
Published by avilum 11 months ago
Add warning for --with-dtrace support for python
Make trace.bt support any path to the python interpreter
Add info about "Could not resolve symbol" error on Ubuntu to FAQ.md
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Added docker build and push to GH Actions
Published by avilum over 1 year ago
Blocking the following insecure syscalls by deafult in secimport build
:
INSECURE_SYSCALLS = [
"vfork",
"clone",
"access",
"chdir",
"creat",
"dup",
"dup2",
"execve",
"faccessat",
"fcntl",
"fdatasync",
"fork",
"fstat",
"fsync",
"getegid",
"geteuid",
"getgid",
"getgroups",
"getpid",
"getppid",
"getrlimit",
"getsockname",
"getsid",
"getuid",
"ioctl",
"link",
"lseek",
"lstat",
"mkdir",
"mknod",
"open",
"openat",
"pipe",
"poll",
"read",
"readlink",
"readv",
"recvfrom",
"recvmsg",
"rename",
"rmdir",
"select",
"sendmsg",
"sendto",
"setgid",
"setgroups",
"setpgid",
"setpriority",
"setregid",
"setreuid",
"setrlimit",
"setsid",
"setsockopt",
"stat",
"symlink",
"truncate",
"umask",
"utime",
"utimes",
"write",
"writev",
]
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
Published by avilum over 1 year ago
The new usage I encourage is a follows:
pip install secimport==0.7.0
# Interactive quickstart
secimport interactive
#!/bin/bash
echo "FastAPI Example"
echo "Tracing the main application, hit CTRL+C/CTRL+D when you are done."
/workspace/Python-3.10.0/python -m secimport.cli trace --entrypoint fastapi_main.py
/workspace/Python-3.10.0/python -m secimport.cli build
/workspace/Python-3.10.0/python -m secimport.cli run --entrypoint fastapi_main.py
SecImport - A toolkit for Tracing and Securing Python Runtime using USDT probes and eBPF/DTrace: https://github.com/avilum/secimport/wiki/Command-Line-Usage
QUICK START:
>>> secimport interactive
EXAMPLES:
1. trace:
$ secimport trace
$ secimport trace -h
$ secimport trace_pid 123
$ secimport trace_pid -h
2. build:
# secimport build
$ secimport build -h
3. run:
$ secimport run
$ secimport run --entrypoint my_custom_main.py
$ secimport run --entrypoint my_custom_main.py --stop_on_violation=true
$ secimport run --entrypoint my_custom_main.py --kill_on_violation=true
$ secimport run --sandbox_executable /path/to/my_sandbox.bt --pid 2884
$ secimport run --sandbox_executable /path/to/my_sandbox.bt --sandbox_logfile my_log.log
$ secimport run -h
Published by avilum almost 2 years ago
Published by avilum about 2 years ago
Published by avilum about 2 years ago
Added pickle examples, improved logging and documentation
Published by avilum about 2 years ago
Published by avilum about 2 years ago
Version 0.4.0 adds the ability to generate profile from a YAML template.
For a full usage documentation, visit https://github.com/avilum/secimport/blob/master/docs/YAML_PROFILES.md
Published by avilum over 2 years ago
module = secure_import(
module_name="http",
syscalls_allowlist="""
access
exit
getentropy
...
Published by avilum over 2 years ago
Added optional dtrace flag for destructive mode.
When set to False (default is True), the process will be killed but only logged.
destructive (bool, optional): Whether to kill the process with -9 sigkill upon violation of any of the configurations above. Defaults to True