bytedance/vArmor

GitHub: bytedance/vArmor

Stars: 477 | Forks: 62

Logo

![BHArsenalUSA2024](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/625dcf7f6e002236.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor) [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![License](https://img.shields.io/badge/license-GPL-blue.svg)](https://opensource.org/license/gpl-2-0) [![Latest release](https://img.shields.io/github/v/release/bytedance/vArmor)](https://github.com/bytedance/vArmor/releases) English | [简体中文](README.zh_CN.md) | [日本語](README.ja.md) vArmor is a cloud-native container hardening system. It leverages Linux's [AppArmor LSM](https://en.wikipedia.org/wiki/AppArmor), [BPF LSM](https://docs.kernel.org/bpf/prog_lsm.html), [Seccomp](https://en.wikipedia.org/wiki/Seccomp), and **Network Proxy** ([Envoy](https://www.envoyproxy.io/)-based sidecar) technologies to implement enforcers. It can be used to strengthen container isolation, reduce the kernel attack surface, enforce network egress access control at L4/L7 levels — including TLS MITM for decrypted HTTPS inspection, HTTP header injection, and anti-Domain-Fronting protection — and increase the difficulty and cost of container escape or lateral movement attacks. You can leverage vArmor in the following scenarios to provide sandbox protection for containers within a Kubernetes cluster. * In multi-tenant environments, hardware-virtualized container solutions cannot be employed due to factors such as cost and technical conditions. * You want to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move. * When high-risk vulnerabilities are present but immediate remediation is not possible due to the difficulty or lengthy process of patching, vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation. * You are deploying AI Agents or LLM-based applications and need to precisely control their outbound network access — preventing data exfiltration, unauthorized API calls, or abuse induced by prompt injection attacks. *Note:* *
- The core of security defense lies in balancing risks and benefits, transforming uncontrollable risks into controllable costs by choosing different types of security boundaries and defense technologies.* *
- runc + vArmor does not provide an isolation level equivalent to that of hardware virtualization containers (such as Kata Containers and other lightweight virtual machines). If you require a high-intensity isolation solution, please consider using hardware virtualization containers for compute isolation, and utilize CNI's NetworkPolicy for network isolation.* *
- vArmor's NetworkProxy enforcer further complements NetworkPolicy by providing L7 access control for both HTTP and HTTPS (via TLS MITM), TLS SNI-based domain filtering, per-domain HTTP header injection, anti-Domain-Fronting protection, and comprehensive audit logging — capabilities that NetworkPolicy does not offer.* **vArmor Features:** vArmor was created by the **Elkeid Team** of the endpoint security department at ByteDance. And the project is still in active development. ## Architecture
## Documentation vArmor reference documents are available at [varmor.org](https://varmor.org). ⏩ **[Quick Start](https://www.varmor.org/docs/main/introduction)** ⚙️ **[Installation](https://www.varmor.org/docs/main/getting_started/installation)** 📔 **[Usage Instructions](https://www.varmor.org/docs/main/getting_started/usage_instructions)** 📜 **[Policies and Rules](https://www.varmor.org/docs/main/guides/policies_and_rules)** ⏱️ **[Performance Specifications](https://www.varmor.org/docs/main/guides/performance)** ## License The vArmor project is licensed under Apache 2.0, except for third party components which are subject to different license terms. Please refer to the code header information in the code files. Your integration of vArmor into your own projects should require compliance with the Apache 2.0 License, as well as the other licenses applicable to the third party components included within vArmor. The eBPF code is located at [vArmor-ebpf](https://github.com/bytedance/vArmor-ebpf) and licensed under GPL-2.0. ## Demo Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))
![image](https://raw.githubusercontent.com/bytedance/vArmor/main/test/demos/CVE-2021-22555/demo.gif) ## 404Starlink vArmor has joined [404Starlink](https://github.com/knownsec/404StarLink)
标签:EVTX分析