paint-brush
How To Harden Your Docker Containers Using Seccomp Security Profileby@sudip-sengupta
840 reads
840 reads

How To Harden Your Docker Containers Using Seccomp Security Profile

by Sudip SenguptaAugust 22nd, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Seccomp is a Linux kernel feature that improves several security features to help run Docker in a more secure environment. With version 1.10, Docker applied a default security profile to run a Docker container with the default profile. You can use your custom profile to unblock the desired syscalls, which we will cover later in this guide. In the following example, you are going to use your own custom profile. To run the container with a custom profile, edit the file your-custom-profile-to-file/profile.
featured image - How To Harden Your Docker Containers Using Seccomp Security Profile
Sudip Sengupta HackerNoon profile picture

Secure Computing Mode, also known as Seccomp, is a Linux kernel feature that improves several security features to help run Docker in a more secure environment.

It is more like a sandbox environment that not only acts as a firewall for syscalls but also enables you to restrict the actions available within the Docker containers to the host’s Linux kernel.

In this guide, you will learn how to run a container with and without the Seccomp profile.

Prerequisites

To get started with this guide, you need the following:

  • A Linux host with sudo privileges.
  • Seccomp enabled in Linux Kernel.
  • Latest Docker

To verify if your host’s kernel support Seccomp, run the following command in your host’s terminal:

$ grep SECCOMP /boot/config-$(uname -r)

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y 

Alternatively, you can also run:

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

CONFIG_SECCOMP=y

In both ways, you see 

CONFIG_SECCOMP=y
 in your host terminal window. It means it does supports it.

Back in 2016, with version 1.10, Docker had applied a default Seccomp profile. Since then, the profile kept on updating, and now, it has 51 system calls or syscalls and doesn’t make to default whitelist and is effectively blocked. However, you can use your custom profile to unblock the desired syscalls, which we will cover later in this guide.

Now there are a couple of ways to run Docker container with a Seccomp profile, either you can run a docker container with the default profile through the command line, or specify a specific custom profile in .json format, or you can specify your Seccomp profile in Daemon configuration file.

Default Seccomp Profile:

If you didn’t specify a Seccomp profile, then Docker uses built-in Seccomp and Kernel configuration. To check this, you can run the following command:

$ docker run -it --rm --name alpine-test alpine /bin/sh

Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
e6b0cf9c0882: Pull complete 
Digest: sha256:2171658620155679240babee0a7714f6509fae66898db422ad803b951257db78
Status: Downloaded newer image for alpine:latest

To see if Seccomp filter is loaded inside the Alpine container:

/ # grep Seccomp /proc/$$/status

Seccomp:	2

Here you have 

grep
 the pseudo-filesystem to access the kernel data, which indicates that default Seccomp filter was applied inside the running container.

Custom Seccomp Profile:

There are scenarios where you want to override the default profile, which gives you extra control and capabilities to play with. In the following example, you are going to use your own custom profile.

We are going to download Docker’s official default profile and make changes to it:

$ wget https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json -O /path/to/file/your-custom-profile.json

Once you have the .json file with you, it’s time to make changes to the file your-custom-profile.json. For this guide, we are simply going to restrict 

mkdir
 command inside the container. To do this, open the file and find 
mkdir
 system call, and remove all the references to the 
mkdir
 in the file, which could look something like this:

... 	
	{
			"name": "mkdir",
			"action": "SCMP_ACT_ALLOW",
			"args": []
	},
... 

Once you edit the profile, try to run the Docker container with it:

$ docker run -it --rm --security-opt seccomp=/path/to/file/your-custom-profile.json --name alpine-custom-seccomp alpine /bin/sh
/ # mkdir test
mkdir: can't create directory 'test': Operation not permitted
/ #

The newly created profile container doesn’t allow you to run the 

mkdir
syscall.

This way, you can create your own custom profile and make changes to it as per your requirement, as there are a number of operations which you can restrict like 

chown
chmod
 and so on..

Run Container without Seccomp:

For some reason, if you wish to run a container without Seccomp profile, then you can override this by using 

--security-opt
 flag with
unconfined
flag:

$ docker run -it --rm --security-opt seccomp=unconfined --name alpine-wo-seccomp alpine /bin/sh

To see if your docker container runs without Seccomp profile, use this:

/ # grep Seccomp /proc/$$/status

Seccomp:	0

You will see 

Seccomp: 0
, which means the container is running without the default Seccomp profile. Note that it is not recommended to do unless you know what you are doing, as a certain security loop-hole will be wide open and can be exploited.

Alternatively, you can use 

--privileged
 flag, which can also disable the Seccomp, even if you specify the custom Seccomp profile.

This article was originally posted on https://appfleet.com/blog/hardening-docker-container/.