Project Title: Kubevirt Seccomp Integration and
Automation
Abstract
Seccomp is a security facility from the Linux Kernel that prevents processes from executing unauthorized
syscalls. By limiting the number of permitted syscalls, seccomp is being utilized in conjunction with
Kubernetes to reduce the attack surface of the containers. However, we cannot assume that one size fits
all. Therefore, the default profile may either permit syscalls that are in fact not required by the workload
or prohibit legitimate syscalls. The goal of this project is to integrate and automate syscall auditing during
testing, then utilize the test results to create a seccomp profile with the syscalls actually used at runtime.
Finally, the seccomp profile will be applied to the test suite to ensure that it does not block any needed
syscalls.
Goals
The main objectives of this project are:
● Integrate syscall auditing during testing for Kubevirt
● Automate the process of creating a seccomp profile based on syscall usage at runtime
● Apply the custom seccomp profile to the test suite to ensure no required syscalls are blocked
Methodology
To achieve the goals of the project, we will follow these steps:
1. Analyze the existing codebase of Kubevirt to determine the best way to integrate syscall auditing
and create a custom seccomp profile.
2. Identify the tools needed for syscall auditing and integrate them into Kubevirt's testing suite.
3. Collect the syscall usage data during testing and use it to generate a custom seccomp profile.
4. Implement the custom seccomp profile in Kubevirt's testing suite.
5. Test the profile by running the test suite with the custom seccomp profile to ensure that it doesn't
block any required syscalls.
Timeline
Week 1-2:
Familiarize with Kubevirt and its codebase
Research and analyze the best way to integrate syscall auditing and create a custom seccomp profile
Week 3-4:
Identify the tools needed for syscall auditing
Integrate the tools into Kubevirt's testing suite
Week 5-6:
Collect syscall usage data during testing
Use the data to generate a custom seccomp profile
Week 7-8:
Implement the custom seccomp profile in Kubevirt's testing suite
Test the profile on a small scale
Week 9-10:
Test the profile on a larger scale and collect feedback
Iterate on the profile based on feedback
Week 11-12:
Write documentation and prepare code for merge into Kubevirt
Deliverables
●
●
●
●
●
Integration of syscall auditing into Kubevirt's testing suite
Automated creation of a custom seccomp profile based on syscall usage at runtime
Implementation of the custom seccomp profile in Kubevirt's testing suite
Successful testing of the custom seccomp profile on a small and large scale
Documentation of the integration and usage of the custom seccomp profile
Open Source Contribution
The project's outcomes will be contributed to Kubevirt as open source code. This will enhance the
security of the Kubevirt project and benefit the community that uses it.
About Me
My name is Yash Chaudhari, I am a computer science student at G.H Raisoni College of Engineering,
Nagpur with experience in Linux kernel programming. I have little experience in open source
contributions as well. I believe that this project is an excellent opportunity for me to combine my interests
in open source and security to contribute to the Kubevirt community.
Conclusion
The integration of syscall auditing and creation of a custom seccomp profile will enhance the security of
Kubevirt by reducing the attack surface of containers. This project will also provide valuable experience
in system programming, security auditing, and open source contributions. I believe that I am a good fit for
this project.