I'm investigating about kernel security using Docker. I'm testing seccomp and it works very well on Debian and Ubuntu, but It's not working on Kali Linux.
Example:
I created a simple json file called sec.json with this content:
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "mkdir",
"action": "SCMP_ACT_ERRNO"
}
]
}
It' suppossed that running a container using seccomp and this file will produce that you are not able to use mkdir command inside the container. This is the docker run command:
docker run --rm -ti --security-opt seccomp=/path/to/sec.json ubuntu:xenial sh
As I said it works very well on Debian and Ubuntu, but on Kali Linux I got this error:
docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.
My docker-engine version is 17.05.0-ce and my Kernel is 4.9.0-kali3-amd64 #1 SMP Debian 4.9.18-1kali1 (2017-04-04) x86_64 GNU/Linux. I googled about this and is quite strange. It is suppossed that seccomp is supported if you can check this:
cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
I got as a result:
CONFIG_SECCOMP=y
So it's suppossed that it's supported. What am I missing or what is the explanation about this is not working on Kali? Thanks.
Ok I found this post. I'll try to answer myself:
https://github.com/moby/moby/issues/26497
Is quite similar. I checked my docker info output and on Ubuntu and Debian I have the Security Options: seccomp and I have nothing on Kali.
The possible explanation is the libseccomp2 package which contains the needed library is too old. Maybe if the Kali staff update the library it could be supported.
Use
echo 'apt::sandbox::seccomp "false";' > /etc/apt/apt.conf.d/999seccomp
That should work.
Related
I am writing software on macOS. As a subroutine I would like to call certain Linux-only CLI tools, e.g., > mytool inputfile. Can I use Docker for Mac to compile the Linux tool inside a container and call it from outside the container (after copying input files into the container?). And if I can, is it a good idea or will there be issues installing and compiling Linux packages?
From my understanding of docker as basically a lightweight VM that uses a stripped down version of a Linux distribution, this approach seems to make sense, but the stripped down aspect might be an impediment.
Can Docker be used to run Linux CLI tools from macOS?
Docker supports macOS according to documentation.
Can I use Docker for Mac to compile the Linux tool inside a container and call it from outside the container (after copying input files into the container?
Yes.
And if I can, is it a good idea
Depends on the term "good" - it's subjective and highly depends on specific case.
or will there be issues installing and compiling Linux packages?
No.
From my understanding of docker as basically a lightweight VM
Yes.
that uses a stripped down version of a Linux distribution, this approach seems to make sense, but the stripped down aspect might be an impediment.
What is in docker container depends on the container. Overall, usually man pages and system package manager repository information are removed from images. I would disagree - mostly docker containers come with full Linux distributions and can be used as such.
You should do as follow:
docker run --rm -v /:/host -ti ubuntu ... your command referring to /host...
And this is the command parameters explanation:
--rm : remove sthe container after running (but keep cached the image for next calls).
-t : allocates a visibile shell terminal.
-i : runs in interactive mode.
-v /:/host : maps your root folder to container /host folder.
ubuntu : pulls the ubuntu image, which you can change with any other you prefer.
As last parameter put the commands to run into the container but relatives to /host.
Here am experimenting on including firmware-atheros network driver package of Debian flavor of OS. Here goes the command
$ sudo mkosi -d debian -r buster -f -b -t gpt_ext4 --checksum --password password --package=vim,curl,git,firmware-atheros,linux-image-amd64 -o image.raw
Error on screen: subprocess.CalledProcessError:.... returned non-zero exit status 100.
Let me know what would be the issue when am trying to include the firmware-atheros package? is it in-compatible? or anything else I should include for resolving this conflict?
The above issue if you ever encounter, while working on generating a minimal operating system by using this command mkosi. Please include --repositories=main,non-free option. Since by default it only considers main only.
I read docs :
https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox.md
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandbox_ipc.md
But can't figure out the way to have a properly configured sandbox, and no way to find the script update-linux-sandbox.sh on my system.
I've found it here
but I get :
$ ./update-linux-sandbox.sh
/tmp/../out/Debug does not exist. Use "BUILDTYPE=Release ./update-linux-sandbox.sh" If you are building in Release mode
$ BUILDTYPE=Release ./update-linux-sandbox.sh
/tmp/../out/Release does not exist. Use "BUILDTYPE=Release ./update-linux-sandbox.sh" If you are building in Release mode
The only insecure workaround I have is to use :
const browser = await puppeteer.launch(
{headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox']}
);
Any idea to do the things properly ?
For Debian, in my case version 9 Stretch, the problem seems to be related to sandboxing not being turned on. Chromium will spit out the fatal-message:
No usable sandbox!
For a solution until reboot (run from the command-line as root):
echo 1 > /proc/sys/kernel/unprivileged_userns_clone
For a more permanent solution (run from the command-line as root):
echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart
More Debian related info can be found here:
https://www.bountysource.com/issues/48328601-chrome-headless-doesn-t-launch-on-debian
https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel
If you're here looking for a way to run Puppeteer in Centos7 without the --no-sandbox arg then the #MevatlaveKraspek answer won't work
I managed to get Puppeteer taking screenshots without the --no-sandbox flag arg by setting a Linux kernel parameter to enable namespacing (on CentOS Linux release 7.4.1708).
As root user run:
echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf
Check it worked with:
sudo sysctl -a | grep user.max_user_namespaces
Now reboot your system and run a script without using --no-sandbox e.g const browser = await puppeteer.launch();
If it still doesn't work you might be using an older Linux Kernel and will require a couple of extra args set in the Kernel.
As root user run:
grubby --args="user_namespace.enable=1 namespace.unpriv_enable=1" --update-kernel="$(grubby --default-kernel)"
Now reboot your system and check the Kernel command line for the 2 params you just added
cat /proc/cmdline
If they are in the command line run a script without using --no-sandbox again e.g const browser = await puppeteer.launch();
It should work now. If it doesn't you might be using an old kernel which doesn't support namespacing.
You can check your kernel version with:
uname -a
This is my kernel version which I've got Puppeteer running without --no-sandbox arg.
Linux centos7 3.10.0-693.21.1.el7.x86_64
Hope this helps :)
Figured it out : enable user namespace cloning from kernel :
sudo sysctl -w kernel.unprivileged_userns_clone=1
You can try:
As root user run: echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf
Reload sysctl: sysctl -p
I'm currently trying to get Vagrant to provision a working CentoOS7 image on Windows10, using Hyper-V. Vagrant 1.8.4, current latest.
I envcounter a problem where the provisioning fails and I need to workaround each time. The CentOS7 image is a minimal image and does not include cifs-utils, therefore the mount wont work. So, I need cifs-utils installed before mount.
Error:
==> default: Mounting SMB shared folders...
default: C:/Programs/vagrant_stuff/centos7 => /vagrant
Failed to mount folders in Linux guest. This is usually because
the "vboxsf" file system is not available. Please verify that
the guest additions are properly installed in the guest and
can work properly. The command attempted was:
mount -t cifs -o uid=`id -u vagrant`,gid=`getent group vagrant | cut -d: -f3`,sec=ntlm,credentials=/etc/smb_creds_4d99b2
d500a1bcb656d5a1c481a47191 //192.168.137.1/4d99b2d500a1bcb656d5a1c481a47191 /vagrant
mount -t cifs -o uid=`id -u vagrant`,gid=`id -g vagrant`,sec=ntlm,credentials=/etc/smb_creds_4d99b2d500a1bcb656d5a1c481a
47191 //192.168.137.1/4d99b2d500a1bcb656d5a1c481a47191 /vagrant
The error output from the last command was:
mount: wrong fs type, bad option, bad superblock on //192.168.137.1/4d99b2d500a1bcb656d5a1c481a47191,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount.<type> helper program)
In some cases useful info is found in syslog - try
dmesg | tail or so.
As it is now, the provisioning has to fail, and I need to:
vagrant ssh (powershell)
(connect to instance via putty/ssh)
sudo yum install cifs-utils -y (putty/ssh)
(wait for install...)
exit (putty/ssh)
vagrant reload --provision (powershell)
This is obviously a pain and I am trying to streamline the process.
Does anyone know a better way?
You can install the missing package in your box and repackage this box so you can distribute a new version of this box containing the missing package.
In order to provision a vagrant box you need to create it from an iso. While preparing the box you can install all needed packages for you. In your case it is Hyper-v - https://www.vagrantup.com/docs/hyperv/boxes.html
Best Regards
Apparently my original question was downvoted for some reason. #whatever
As I mentioned in one of the comments above:
I managed to repackage and upload an updated version. Thanks for the advice. Its available in Atlas as "KptnKMan/bluefhypervalphacentos7repack".
Special thanks to #frédéric-henri :)
So, I need to run this command:
vnstat -tr
But as a user I just created, not as root, as root it works fine, but as a regular user I get this:
Error: Unable to get interface "eth0" statistics.
Error: Interface "eth0" not available, exiting.
Operating system: Debian Linux 6.0.6
The problem was grsecurity locking /proc/net/dev from viewing it by users. The solution was to downgrade from ovhs linux core from 3.10.X to 3.8.13.