, also known as Seccomp, is a Linux kernel feature that improves several security features to help run Docker in a more secure environment. Secure Computing Mode It is more like a sandbox environment that not only acts as a firewall for but also enables you to restrict the actions available within the Docker containers to the host’s Linux kernel. syscalls In this guide, you will learn how to run a container with and without the Seccomp profile. Prerequisites To get started with this guide, you need the following: A Linux host with sudo privileges. Seccomp enabled in Linux Kernel. Latest Docker To verify if your host’s kernel support Seccomp, run the following command in your host’s terminal: $ grep SECCOMP /boot/config-$(uname -r) CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP=y Alternatively, you can also run: $ grep CONFIG_SECCOMP= /boot/config-$(uname -r) CONFIG_SECCOMP=y In both ways, you see in your host terminal window. It means it does supports it. CONFIG_SECCOMP=y Back in 2016, with version 1.10, Docker had applied a default Seccomp profile. Since then, the profile kept on updating, and now, it has and doesn’t make to default whitelist and is effectively blocked. However, you can use your custom profile to unblock the desired , which we will cover later in this guide. 51 system calls or syscalls syscalls Now there are a couple of ways to run Docker container with a Seccomp profile, either you can run a docker container with the default profile through the command line, or specify a specific custom profile in format, or you can specify your Seccomp profile in Daemon configuration file. .json Default Seccomp Profile: If you didn’t specify a Seccomp profile, then Docker uses built-in Seccomp and Kernel configuration. To check this, you can run the following command: $ docker run -it --rm --name alpine-test alpine /bin/sh Unable to find image locally latest: Pulling from library/alpine e6b0cf9c0882: Pull complete Digest: sha256:2171658620155679240babee0a7714f6509fae66898db422ad803b951257db78 Status: Downloaded newer image alpine:latest 'alpine:latest' for To see if Seccomp filter is loaded inside the Alpine container: / Seccomp: 2 # grep Seccomp /proc/$$/status Here you have the pseudo-filesystem to access the kernel data, which indicates that default Seccomp filter was applied inside the running container. grep Custom Seccomp Profile: There are scenarios where you want to override the default profile, which gives you extra control and capabilities to play with. In the following example, you are going to use your own custom profile. We are going to download Docker’s official default profile and make changes to it: $ wget https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json -O /path/to/file/your-custom-profile.json Once you have the file with you, it’s time to make changes to the file . For this guide, we are simply going to restrict command inside the container. To do this, open the file and find system call, and remove all the references to the in the file, which could look something like this: .json your-custom-profile.json mkdir mkdir mkdir ... { : , : , : [] }, ... "name" "mkdir" "action" "SCMP_ACT_ALLOW" "args" Once you edit the profile, try to run the Docker container with it: $ docker run -it --rm --security-opt seccomp=/path/to/file/your-custom-profile.json --name alpine-custom-seccomp alpine /bin/sh / mkdir: can # mkdir test 't create directory ' test ': Operation not permitted / # The newly created profile container doesn’t allow you to run the . mkdir syscall This way, you can create your own custom profile and make changes to it as per your requirement, as there are a number of operations which you can restrict like , and so on.. chown chmod Run Container without Seccomp: For some reason, if you wish to run a container without Seccomp profile, then you can override this by using flag with flag: --security-opt unconfined $ docker run -it --rm --security-opt seccomp=unconfined --name alpine-wo-seccomp alpine /bin/sh To see if your docker container runs without Seccomp profile, use this: / Seccomp: 0 # grep Seccomp /proc/$$/status You will see , which means the container is running without the default Seccomp profile. Note that it is not recommended to do unless you know what you are doing, as a certain security loop-hole will be wide open and can be exploited. Seccomp: 0 Alternatively, you can use flag, which can also disable the Seccomp, even if you specify the custom Seccomp profile. --privileged This article was originally posted on https://appfleet.com/blog/hardening-docker-container/ .
