Breaking News

A container symbol that extracts the underlying container runtime and sends it to a far flung server.
Poke on the underlying container runtime of your favourite CSP container platform!

How does it paintings?

As showed by the use of runc CVE-2019-5736, conventional Linux container runtimes reveal themselves to the bins they are operating thru /proc/self/exe. whoc makes use of this hyperlink to learn the container runtime executing it.

Dynamic Mode

That is whoc default mode that works towards dynamically hooked up container runtimes.

  1. The whoc symbol entrypoint is able to /proc/self/exe, and the picture’s dynamic linker ( is changed with fake_ld.
  2. As soon as the picture is administered, the container runtime re-executes itself right through the container.
  3. Given the runtime is dynamically hooked up, the kernel moderately such a lot our faux dynamic linker to the runtime procedure and passes execution to it.
  4. fake_ld obtains a file descriptor for the runtime binary by the use of opening /proc/self/exe, and executes upload_runtime.
  5. upload_runtime reads the runtime binary from /proc/self/fd/<runtime-fd> and sends it to the configured far flung server.

Wait-For-Exec Mode

For statically hooked up container runtimes, whoc is available in each and every different taste: whoc:waitforexec.

  1. upload_runtime is the picture entrypoint, and runs because the whoc container PID 1.
  2. The patron is predicted to exec into the whoc container and invoke a file pointing to /proc/self/exe (e.g. docker exec whoc-ctr /proc/self/exe)
  3. As temporarily for the reason that exec happens, the container runtime re-executes itself right through the container
  4. upload_runtime reads the runtime binary thru /proc/<runtime-pid>/exe and sends it to the configured far flung server

Take a look at In the neighborhood

You are able to want docker and python3 put in. Clone the repository:

$ git clone [email protected]:twistlock/whoc.git

Arrange a file server to obtain the extracted container runtime:

$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/ fileserver
$ ./fileserver

From each and every different shell, run the whoc symbol on your container surroundings of selection, for example Docker:

$ cd whoc
$ docker compile -f Dockerfile_dynamic -t whoc:newest src # or ./util/
$ docker run --rm -it --net=host whoc:newest # or ./util/

See that the file server won the container runtime. Since we run whoc beneath vanilla Docker, the won container runtime must be runc.

--net=host may be very highest utilized in native assessments in order that the whoc container may merely simply prevail throughout the fileserver at the host by the use of

Have the same opinion

Have the same opinion for whoc‘s number one binary, upload_runtime:

Utilization: upload_runtime [options] <server_ip>

Possible choices:
-p, --port Port of far flung server, defaults to 8080
-e, --exec Wait-for-exec mode for static container runtimes, waits till an exec to the container passed off
-b, --exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/input
-a, --exec-extra-argument In exec mode, pass an extra argument to the runtime so it may not pass out briefly
-r, --exec-readdir-proc In exec mode, as an alternative of guessing the runtime pid (which provides whoc one shot of catching the runtime),
to look out the runtime thru way of searching for new processes beneath '/proc'

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us