Introduction
lockc is open source software for providing MAC (Mandatory Access Control) type of security audit for container workloads.
The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about host OS and provide ways to "break out" from the container. lockc aims to provide more isolation to containers and make them more secure.
The Containers do not contain documentation section explains why we mean by that phrase and what kind of behavior we want to restrict with lockc.
The main technology behind lockc is eBPF - to be more precise, its ability to attach to LSM hooks
Please note that currently lockc is an experimental project, not meant for production environments. Currently we don't publish any official binaries or packages to use, except of a Rust crate. Currently the most convenient way to use it is to use the source code and follow the guide.
Contributing
If you need help or want to talk with contributors, please come chat with
us on #lockc
channel on the Rust Cloud Native Discord server.
You can find the source code on GitHub and issues and feature requests can be posted on the GitHub issue tracker. lockc relies on the community to fix bugs and add features: if you'd like to contribute, please read the CONTRIBUTING guide and consider opening pull request.
License
lockc's userspace part is licensed under Apache License, version 2.0.
eBPF programs inside lockc/src/bpf directory are licensed under GNU General Public License, version 2.
Documentation is licensed under Mozilla Public License v2.0.