Before you go, check out these stories!

0
Hackernoon logoHow To Harden Your Docker Containers Using Seccomp Security Profile by@sudip-sengupta

How To Harden Your Docker Containers Using Seccomp Security Profile

Author profile picture

@sudip-senguptaSudip Sengupta

Solution Architect | Technical Content Writer

Secure Computing Mode, also known as Seccomp, is a Linux kernel feature that improves several security features to help run Docker in a more secure environment.

It is more like a sandbox environment that not only acts as a firewall forĀ syscallsĀ but also enables you to restrict the actions available within the Docker containers to the hostā€™s Linux kernel.

In this guide, you will learn how to run a container with and without the Seccomp profile.

Prerequisites

To get started with this guide, you need the following:

  • A Linux host with sudo privileges.
  • Seccomp enabled in Linux Kernel.
  • Latest Docker

To verify if your hostā€™s kernel support Seccomp, run the following command in your hostā€™s terminal:

$ grep SECCOMP /boot/config-$(uname -r)

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y 

Alternatively, you can also run:

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

CONFIG_SECCOMP=y

In both ways, you seeĀ 

CONFIG_SECCOMP=y
Ā in your host terminal window. It means it does supports it.

Back in 2016, with version 1.10, Docker had applied a default Seccomp profile. Since then, the profile kept on updating, and now, it hasĀ 51 system calls or syscallsĀ and doesnā€™t make to default whitelist and is effectively blocked. However, you can use your custom profile to unblock the desired syscalls, which we will cover later in this guide.

Now there are a couple of ways to run Docker container with a Seccomp profile, either you can run a docker container with the default profile through the command line, or specify a specific custom profile in .json format, or you can specify your Seccomp profile in Daemon configuration file.

Default Seccomp Profile:

If you didnā€™t specify a Seccomp profile, then Docker uses built-in Seccomp and Kernel configuration. To check this, you can run the following command:

$ docker run -it --rm --name alpine-test alpine /bin/sh

Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
e6b0cf9c0882: Pull complete 
Digest: sha256:2171658620155679240babee0a7714f6509fae66898db422ad803b951257db78
Status: Downloaded newer image for alpine:latest

To see if Seccomp filter is loaded inside the Alpine container:

/ # grep Seccomp /proc/$$/status

Seccomp:	2

Here you haveĀ 

grep
Ā the pseudo-filesystem to access the kernel data, which indicates that default Seccomp filter was applied inside the running container.

Custom Seccomp Profile:

There are scenarios where you want to override the default profile, which gives you extra control and capabilities to play with. In the following example, you are going to use your own custom profile.

We are going to download Dockerā€™s official default profile and make changes to it:

$ wget https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json -O /path/to/file/your-custom-profile.json

Once you have theĀ .jsonĀ file with you, itā€™s time to make changes to the fileĀ your-custom-profile.json. For this guide, we are simply going to restrictĀ 

mkdir
Ā command inside the container. To do this, open the file and findĀ 
mkdir
Ā system call, and remove all the references to theĀ 
mkdir
Ā in the file, which could look something like this:

... 	
	{
			"name": "mkdir",
			"action": "SCMP_ACT_ALLOW",
			"args": []
	},
... 

Once you edit the profile, try to run the Docker container with it:

$ docker run -it --rm --security-opt seccomp=/path/to/file/your-custom-profile.json --name alpine-custom-seccomp alpine /bin/sh
/ # mkdir test
mkdir: can't create directory 'test': Operation not permitted
/ #

The newly created profile container doesnā€™t allow you to run theĀ 

mkdir
syscall.

This way, you can create your own custom profile and make changes to it as per your requirement, as there are a number of operations which you can restrict likeĀ 

chown
,Ā 
chmod
Ā and so on..

Run Container without Seccomp:

For some reason, if you wish to run a container without Seccomp profile, then you can override this by usingĀ 

--security-opt
Ā flag with
unconfined
flag:

$ docker run -it --rm --security-opt seccomp=unconfined --name alpine-wo-seccomp alpine /bin/sh

To see if your docker container runs without Seccomp profile, use this:

/ # grep Seccomp /proc/$$/status

Seccomp:	0

You will seeĀ 

Seccomp: 0
, which means the container is running without the default Seccomp profile. Note that it is not recommended to do unless you know what you are doing, as a certain security loop-hole will be wide open and can be exploited.

Alternatively, you can useĀ 

--privileged
Ā flag, which can also disable the Seccomp, even if you specify the custom Seccomp profile.

This article was originally posted on https://appfleet.com/blog/hardening-docker-container/.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.