## https://sploitus.com/exploit?id=6B60869D-6661-51EA-A586-D3E5664ABAD8
# Charantej Architecture: Hardened Container Staging & Syscall Telemetry Lab
An enterprise-grade, defense-in-depth container containment and runtime security telemetry framework. Designed from the perspective of a Cisco Lead Cybersecurity Architect, the Charantej Architecture isolates staging runtimes, restricts system call surfaces, and instruments real-time kernel telemetry using host-level auditing to secure modern Linux container deployments.
---
## High-Level Design (HLD)
The Charantej Architecture enforces isolation, least-privilege containment, and out-of-band monitoring to ensure security boundaries remain resilient against host kernel compromise vectors.
```
+-------------------------------------------------+
| Host OS (Secured Linux Node) |
| |
| +--------------------+ +------------------+ |
| | Docker Container | | Host Auditor | |
| | | | (Falco Engine) | |
| | +--------------+ | | | |
| | | Audited App | | | +------------+ | |
| | | Namespace | | | | eBPF Probes| | |
| | +-------+------+ | | +-----+------+ | |
| +----------|---------+ +--------|---------+ |
| | | |
| +----------+-----------+ |
| | |
| v |
| [Host Linux Kernel] |
| | |
+------------------------|------------------------+
v
[SIEM / Log Repository]
```
### Trust Boundaries
1. **Container Runtime Sandbox:** The container namespace runs strictly as a non-privileged user, stripping all default Linux capabilities (`CAP_SYS_ADMIN`, `CAP_NET_ADMIN`, `CAP_NET_RAW`, etc.) to block raw system-level network manipulations.
2. **Syscall Whitelisting:** A custom Secure Computing Mode (seccomp) profile acts as a gatekeeper between containerized processes and the host kernel, preventing access to dangerous socket or namespace alteration system calls.
3. **Out-of-Band Instrumentation:** Event auditing runs out-of-band at the host level via eBPF tracing probes. This ensures that even if a container runtime is compromised, telemetry logging cannot be tampered with or disabled from within the container context.
---
## Low-Level Design (LLD)
The Low-Level Design defines the operational syscall validation logic, filter paths, and monitoring endpoints within the kernel boundary.
```mermaid
flowchart TD
subgraph ContainerSpace ["Container Namespace (User Space)"]
App["Audited Process"]
end
subgraph SeccompBoundary ["Seccomp Syscall Filter Boundary"]
Syscall["Syscall Invocation"]
Filter{"Syscall in Whitelist?"}
Block["SCMP_ACT_ERRNO (Block & Fail)"]
Allow["Allow & Pass"]
end
subgraph KernelSpace ["Linux Host Kernel Space"]
Handler["System Call Handler"]
Subsystem["Target Subsystem (e.g., Network/Memory)"]
end
subgraph TelemetryLayer ["Host Auditing Layer"]
eBPF["eBPF Probe Instrumentation"]
Falco{"Event Matches Rule?"}
Alert["Log syslog / SIEM Alarm"]
end
App -->|1. Invokes Syscall| Syscall
Syscall --> Filter
Filter -->|No: e.g., setsockopt/socket| Block
Filter -->|Yes: e.g., read/write| Allow
Allow --> Handler
Handler --> Subsystem
Handler -->|2. Traces Execution| eBPF
eBPF --> Falco
Falco -->|Yes| Alert
```
The Charantej Architecture is composed of three interconnected configuration layers to enforce security boundaries.
### 1. Hardened Container Staging (`docker-compose.yml`)
The orchestration configuration implements the following security controls:
- **`cap_drop: - ALL`**: Drops every default Linux kernel capability, preventing the container from gaining low-level administrative privileges.
- **`no-new-privileges:true`**: Prevents child processes from gaining more privileges than their parent process via `setuid` or `setgid` binaries.
- **`seccomp=seccomp-profile.json`**: Implements whitelisted system call filtering.
- **`read_only: true`**: Mounts the container root filesystem as read-only. This completely neutralizes write-inject vectors (such as unauthorized page-cache writes or payload filesystems) by blocking raw writes to system paths.
- **Resource Constraints**: Caps CPU usage to `0.5` cores and Memory to `256MB` to block resource exhaustion and denial-of-service (DoS) attempts on the host.
### 2. Syscall Whitelist Gatekeeper (`seccomp-profile.json`)
By default, Docker's seccomp filter allows a broad list of system calls. The Charantej Architecture restricts this to the absolute minimum required for basic process execution:
- **Default Action (`SCMP_ACT_ERRNO`)**: Blocks all system calls unless explicitly whitelisted in the profile.
- **Allowed Syscalls**: Permits only fundamental operating primitives (such as `read`, `write`, `exit`, `exit_group`, `futex`, `nanosleep`, `mmap`, `munmap`, `mprotect`, and `close`).
- **Blocked Vectors**: Explicitly blocks `socket` manipulations, `setsockopt` network changes, namespace joins (`setns`), and capability sets (`capset`), neutralizing unauthorized local privilege escalation (LPE) attempts.
### 3. eBPF Telemetry Tracing (`falco-rules.yaml`)
Host-level tracing rules monitor process and syscall boundaries:
- **`Det_Anomalous_Networking`**: Audits socket options and flags an immediate `CRITICAL ALERT` if any containerized process attempts to modify upper-layer protocols or ULP properties (`TCP_ULP` optname).
- **`Container_Privilege_Escalation_Attempt`**: Alerts on unauthorized attempts to join namespaces (`setns`) or modify capability sets (`capset`).
---
## Staging & Deployment Instructions
### 1. Local Staging Setup
Ensure you have Docker Desktop or Docker Engine installed on your host system.
1. Navigate to the project directory:
```bash
cd d:/fragnesia-cve-2026-46300
```
2. Build and start the containerized service in background mode:
```bash
docker compose up -d
```
3. Confirm that the container is running and verify the active hardening constraints:
```bash
docker ps -a --filter "name=charantej_secured_container"
```
### 2. Verifying the Seccomp Boundary
To verify that the seccomp profile is actively blocking unauthorized syscalls:
1. Attempt to execute an un-whitelisted command (e.g., executing network-intensive options) inside the container:
```bash
docker exec -it charantej_secured_container ping 127.0.0.1
```
2. The execution will immediately fail with `Operation not permitted` or a system-level `errno` block, proving that the Seccomp profile is intercepting the system call.
### 3. Verifying host-level telemetry
When Falco or a system-level eBPF tracing agent is active on the host:
- Any unauthorized system calls will trigger alerts inside `/var/log/syslog` or your central SIEM, logging the container ID, process name, and target syscall options.
---
## Live Exploit Demonstration (CVE-2026-46300 "Fragnesia")
This repository includes a live exploit simulation for CVE-2026-46300 to practically demonstrate the effectiveness of the Charantej Architecture.
The exploit attempts two vectors:
1. **Namespace Escape**: Attempting to hijack the host mount namespace using `setns()`.
2. **Kernel ULP Corruption**: Attempting unauthorized ULP memory manipulation via `setsockopt(TCP_ULP)`.
### Running the Exploit Test
A helper script is provided to automatically build the exploit and run it against an unmitigated container (representing a vulnerable system) and the Charantej-secured container.
1. Ensure Docker is running.
2. Execute the test script:
```bash
bash run_exploit.sh
```
### Expected Results
- **Unmitigated Environment**: The exploit will successfully execute both `setns()` and `setsockopt()`, reporting a "VULNERABLE" status.
- **Charantej Secured Environment**: The exploit is intercepted. `setns()` is blocked by capability drops (EPERM), and `socket()` / `setsockopt()` are explicitly neutralized by the Seccomp syscall filter boundary, reporting a "BLOCKED" status. This confirms that even if the Fragnesia payload gets executed, the Charantej architecture securely isolates the host from the exploit.