Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/bytedance/varmor

vArmor is a cloud native container sandbox system based on AppArmor/BPF/Seccomp. It also includes multiple built-in protection rules that are ready to use out of the box.

https://github.com/bytedance/varmor

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (8.5%) to scientific vocabulary

Keywords

apparmor apparmor-profiles bpf containers kubernetes lsm policy sandbox seccomp security
Last synced: 5 months ago · JSON representation

Repository

vArmor is a cloud native container sandbox system based on AppArmor/BPF/Seccomp. It also includes multiple built-in protection rules that are ready to use out of the box.

Basic Info
  • Host: GitHub
  • Owner: bytedance
  • License: apache-2.0
  • Language: Go
  • Default Branch: main
  • Homepage: https://varmor.org
  • Size: 70.9 MB
Statistics
  • Stars: 393
  • Watchers: 9
  • Forks: 45
  • Open Issues: 4
  • Releases: 39
Topics
apparmor apparmor-profiles bpf containers kubernetes lsm policy sandbox seccomp security
Created over 2 years ago · Last pushed 6 months ago
Metadata Files
Readme License Code of conduct

README.ja.md

Logo


BHArsenalUSA2024 Go Report Card License License Latest release

English | |

vArmorLinuxAppArmor LSMBPF LSMSeccompvArmorKubernetes * * * vArmor

vArmor: * vArmorKubernetes OperatorCRD API * AppArmorBPFSeccomp * Allow by Default * * vArmor

vArmorByteDanceElkeid Team

: Kata ContainersCNINetworkPolicy

VarmorPolicy/VarmorClusterPolicyspec.policy.enforcerAppArmorBPFAppArmorSeccompAppArmorBPFSeccomp

|||| |------------|--------------------------------------------|--------| |AppArmor |1. Linux Kernel 4.15
2. AppArmor LSM|GKE with Container-Optimized OS
AKS with Ubuntu 22.04 LTS
VKE with veLinux 1.0
Debian 10
Ubuntu 18.04.0 LTS
veLinux 1.0| |BPF |1. Linux Kernel 5.10 (x86_64)
2. containerd v1.6.0
3. BPF LSM|EKS with Amazon Linux 2
GKE with Container-Optimized OS
VKE with veLinux 1.0 (with 5.10 kernel)
AKS with Ubuntu 22.04 LTS *
ACK with Alibaba Cloud Linux 3 *
OpenSUSE 15.4 *
Debian 11 *
Fedora 37
veLinux 1.0 with 5.10 kernel

* BPF LSM| |Seccomp |1. Kubernetes v1.19|Linux|

vArmorAlwaysAllowRuntimeDefaultEnhanceProtectBehaviorModelingDefenseInDepth5EnhanceProtect

policy-advisor

1.

helm pull oci://elkeid-ap-southeast-1.cr.volces.com/varmor/varmor --version 0.8.2

2.

elkeid-cn-beijing.cr.volces.com helm install varmor varmor-0.8.2.tgz \ --namespace varmor --create-namespace \ --set image.registry="elkeid-ap-southeast-1.cr.volces.com"

3.

```

kubectl create namespace demo

VarmorPolicy.spec.target.selectorDeploymentAlwaysAllow

kubectl create -f test/examples/1-apparmor/vpol-apparmor-alwaysallow.yaml

VarmorPolicy & ArmorProfile

kubectl get VarmorPolicy -n demo kubectl get ArmorProfile -n demo

Deployment

kubectl create -f test/examples/1-apparmor/deploy.yaml

DeploymentPod

POD_NAME=$(kubectl get Pods -n demo -l app=demo-1 -o name)

c1

kubectl exec -n demo $POD_NAME -c c1 -- cat /run/secrets/kubernetes.io/serviceaccount/token

VarmorPolicyc1

kubectl apply -f test/examples/1-apparmor/vpol-apparmor-enhance.yaml

c1

kubectl exec -n demo $POD_NAME -c c1 -- cat /run/secrets/kubernetes.io/serviceaccount/token

VarmorPolicyDeployment

kubectl delete -f test/examples/1-apparmor/vpol-apparmor-alwaysallow.yaml kubectl delete -f test/examples/1-apparmor/deploy.yaml ```

4.

helm uninstall varmor -n varmor

vArmorApache 2.0

vArmorApache 2.0vArmor

eBPFvArmor-ebpfGPL-2.0

vArmoreBPFcilium/ebpf

vArmorNirmatakyverno

vArmorDeploymentCVE-2021-22555cve-2021-22555
image

404Starlink

vArmor404Starlink

Owner

  • Name: Bytedance Inc.
  • Login: bytedance
  • Kind: organization
  • Location: Singapore

GitHub Events

Total
  • Create event: 71
  • Release event: 18
  • Issues event: 19
  • Watch event: 99
  • Delete event: 65
  • Issue comment event: 4
  • Push event: 243
  • Pull request review comment event: 7
  • Pull request review event: 65
  • Pull request event: 198
  • Fork event: 15
Last Year
  • Create event: 71
  • Release event: 18
  • Issues event: 19
  • Watch event: 99
  • Delete event: 65
  • Issue comment event: 4
  • Push event: 243
  • Pull request review comment event: 7
  • Pull request review event: 65
  • Pull request event: 198
  • Fork event: 15

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 620
  • Total Committers: 6
  • Avg Commits per committer: 103.333
  • Development Distribution Score (DDS): 0.092
Past Year
  • Commits: 349
  • Committers: 3
  • Avg Commits per committer: 116.333
  • Development Distribution Score (DDS): 0.074
Top Committers
Name Email Commits
weiwei.danny w****y@b****m 563
lichanghao.orange l****e@b****m 53
大米 5****c 1
liyuxuan.darfux l****x@b****m 1
haoyun h****8@g****m 1
Ikko Eltociear Ashimine e****r@g****m 1
Committer Domains (Top 20 + Academic)
bytedance.com: 3

Issues and Pull Requests

Last synced: 5 months ago

All Time
  • Total issues: 27
  • Total pull requests: 350
  • Average time to close issues: 3 days
  • Average time to close pull requests: about 13 hours
  • Total issue authors: 10
  • Total pull request authors: 6
  • Average comments per issue: 1.63
  • Average comments per pull request: 0.01
  • Merged pull requests: 279
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 11
  • Pull requests: 183
  • Average time to close issues: 4 days
  • Average time to close pull requests: about 20 hours
  • Issue authors: 2
  • Pull request authors: 2
  • Average comments per issue: 0.36
  • Average comments per pull request: 0.0
  • Merged pull requests: 146
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • Danny-Wei (14)
  • UgOrange (3)
  • spoock1024 (2)
  • dejavudwh (2)
  • dzy176 (1)
  • qq451698436 (1)
  • JiaHuann (1)
  • m4p1e (1)
  • greenhandatsjtu (1)
  • root-q (1)
Pull Request Authors
  • Danny-Wei (258)
  • UgOrange (85)
  • jonyhy96 (2)
  • eltociear (2)
  • darfux (2)
  • xxddpac (1)
Top Labels
Issue Labels
bug (7) enhancement (2)
Pull Request Labels
enhancement (4) documentation (1)

Packages

  • Total packages: 2
  • Total downloads: unknown
  • Total dependent packages: 0
    (may contain duplicates)
  • Total dependent repositories: 0
    (may contain duplicates)
  • Total versions: 76
proxy.golang.org: github.com/bytedance/vArmor
  • Versions: 38
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Stargazers count: 4.0%
Forks count: 5.2%
Average: 7.4%
Dependent packages count: 9.6%
Dependent repos count: 10.8%
Last synced: 6 months ago
proxy.golang.org: github.com/bytedance/varmor
  • Versions: 38
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Stargazers count: 4.0%
Forks count: 5.2%
Average: 7.4%
Dependent packages count: 9.6%
Dependent repos count: 10.8%
Last synced: 6 months ago

Dependencies

cmd/classifier/Dockerfile docker
  • python 3.10-slim-buster build
cmd/varmor/Dockerfile docker
  • debian 10 build
  • golang 1.19-buster build
go.mod go
  • github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
  • github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652
  • github.com/Microsoft/go-winio v0.6.0
  • github.com/Microsoft/hcsshim v0.10.0-rc.7
  • github.com/bytedance/sonic v1.8.0
  • github.com/cenkalti/backoff v2.2.1+incompatible
  • github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311
  • github.com/cilium/ebpf v0.10.0
  • github.com/containerd/cgroups v1.1.0
  • github.com/containerd/containerd v1.7.0
  • github.com/containerd/continuity v0.3.0
  • github.com/containerd/fifo v1.1.0
  • github.com/containerd/ttrpc v1.2.1
  • github.com/containerd/typeurl/v2 v2.1.0
  • github.com/cyphar/filepath-securejoin v0.2.3
  • github.com/davecgh/go-spew v1.1.1
  • github.com/dlclark/regexp2 v1.9.0
  • github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
  • github.com/emicklei/go-restful/v3 v3.10.1
  • github.com/evanphx/json-patch v4.12.0+incompatible
  • github.com/gin-contrib/sse v0.1.0
  • github.com/gin-gonic/gin v1.9.0
  • github.com/go-logr/logr v1.2.3
  • github.com/go-logr/stdr v1.2.2
  • github.com/go-openapi/jsonpointer v0.19.5
  • github.com/go-openapi/jsonreference v0.20.0
  • github.com/go-openapi/swag v0.21.1
  • github.com/go-playground/locales v0.14.1
  • github.com/go-playground/universal-translator v0.18.1
  • github.com/go-playground/validator/v10 v10.11.2
  • github.com/goccy/go-json v0.10.0
  • github.com/gogo/protobuf v1.3.2
  • github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
  • github.com/golang/protobuf v1.5.2
  • github.com/google/gnostic v0.5.7-v3refs
  • github.com/google/go-cmp v0.5.9
  • github.com/google/gofuzz v1.2.0
  • github.com/google/uuid v1.3.0
  • github.com/hashicorp/go-version v1.6.0
  • github.com/imdario/mergo v0.3.13
  • github.com/jinzhu/copier v0.3.5
  • github.com/josharian/intern v1.0.0
  • github.com/json-iterator/go v1.1.12
  • github.com/julienschmidt/httprouter v1.3.0
  • github.com/klauspost/compress v1.16.0
  • github.com/klauspost/cpuid/v2 v2.0.9
  • github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20220103065246-e88285448f28
  • github.com/kubearmor/KubeArmor/protobuf v0.0.0-20211217093440-d99a1cb5f908
  • github.com/kyverno/kyverno v1.7.4
  • github.com/leodido/go-urn v1.2.1
  • github.com/mailru/easyjson v0.7.7
  • github.com/mattn/go-isatty v0.0.17
  • github.com/moby/locker v1.0.1
  • github.com/moby/sys/mountinfo v0.6.2
  • github.com/moby/sys/sequential v0.5.0
  • github.com/moby/sys/signal v0.7.0
  • github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
  • github.com/modern-go/reflect2 v1.0.2
  • github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
  • github.com/onsi/ginkgo/v2 v2.6.1
  • github.com/onsi/gomega v1.24.2
  • github.com/opencontainers/go-digest v1.0.0
  • github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
  • github.com/opencontainers/runc v1.1.4
  • github.com/opencontainers/runtime-spec v1.1.0-rc.1
  • github.com/opencontainers/selinux v1.11.0
  • github.com/pelletier/go-toml/v2 v2.0.6
  • github.com/pkg/errors v0.9.1
  • github.com/sirupsen/logrus v1.9.0
  • github.com/spf13/pflag v1.0.5
  • github.com/twitchyliquid64/golang-asm v0.15.1
  • github.com/ugorji/go/codec v1.2.9
  • go.opencensus.io v0.24.0
  • go.opentelemetry.io/otel v1.14.0
  • go.opentelemetry.io/otel/trace v1.14.0
  • go.uber.org/atomic v1.9.0
  • go.uber.org/multierr v1.7.0
  • go.uber.org/zap v1.24.0
  • golang.org/x/arch v0.0.0-20210923205945-b76863e36670
  • golang.org/x/crypto v0.5.0
  • golang.org/x/mod v0.7.0
  • golang.org/x/net v0.7.0
  • golang.org/x/oauth2 v0.4.0
  • golang.org/x/sync v0.1.0
  • golang.org/x/sys v0.6.0
  • golang.org/x/term v0.5.0
  • golang.org/x/text v0.7.0
  • golang.org/x/time v0.3.0
  • golang.org/x/tools v0.5.0
  • google.golang.org/appengine v1.6.7
  • google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4
  • google.golang.org/grpc v1.53.0
  • google.golang.org/protobuf v1.28.1
  • gopkg.in/inf.v0 v0.9.1
  • gopkg.in/yaml.v2 v2.4.0
  • gopkg.in/yaml.v3 v3.0.1
  • gotest.tools v2.2.0+incompatible
  • k8s.io/api v0.26.3
  • k8s.io/apimachinery v0.26.3
  • k8s.io/client-go v0.26.3
  • k8s.io/cri-api v0.26.3
  • k8s.io/klog/v2 v2.90.1
  • k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
  • k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
  • sigs.k8s.io/controller-runtime v0.14.5
  • sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
  • sigs.k8s.io/structured-merge-diff/v4 v4.2.3
  • sigs.k8s.io/yaml v1.3.0
go.sum go
  • 1085 dependencies
cmd/classifier/requirements.txt pypi
  • Flask *
  • PyJWT ==1.7.1
  • gunicorn *
  • ipdb ==0.13.4
  • nptyping ==1.3.0
  • numpy ==1.22.0
  • tqdm ==4.50.2
test/demo/vulnerability-mitigation/CVE-2019-5736/exec_poc/Dockerfile docker
  • ubuntu latest build
test/demo/vulnerability-mitigation/CVE-2019-5736/malicious_image_poc/Dockerfile docker
  • ubuntu latest build
test/demo/vulnerability-mitigation/CVE-2022-0847-dirty-pipe/Dockerfile docker
  • ubuntu latest build
.github/workflows/ci-alpha-build.yml actions
  • actions/checkout v3 composite
  • actions/download-artifact v2 composite
  • actions/setup-go v4 composite
  • actions/upload-artifact v2 composite
  • docker/setup-buildx-action v2 composite
  • docker/setup-qemu-action v2 composite
.github/workflows/ci-go-unit-test.yml actions
  • actions/checkout v3 composite
  • actions/setup-go v4 composite
.github/workflows/ci-release-build.yml actions
  • actions/checkout v3 composite
  • actions/setup-go v4 composite
  • docker/setup-buildx-action v2 composite
  • docker/setup-qemu-action v2 composite
.github/workflows/ci-nightly-build.yml actions
  • actions/checkout v3 composite
  • actions/setup-go v4 composite
  • docker/setup-buildx-action v2 composite
  • docker/setup-qemu-action v2 composite