Feedback

Chat Icon

Painless Docker - 2nd Edition

A Comprehensive Guide to Mastering Docker and its Ecosystem

Docker Security Best Practices
73%

Use Seccomp

Seccomp is a Linux kernel feature that allows you to restrict the system calls that a process can make. It's commonly used to restrict the actions available within a container. Here are some common system calls:

  • open(): Opens a file.
  • read(): Reads data from a file descriptor.
  • write(): Writes data to a file descriptor.
  • _exit(): Terminates the calling process.

By default, a container has around 44 disabled system calls out of 300+. The remaining calls that are still open may be susceptible to attacks. For a high level of security, you can set seccomp profiles individually for containers. However, it's important to understand each system call and its impact on your application.

Here is an example that removes the ability to create folders by blocking the mkdir and mkdirat system calls.

# Download the default Seccomp profile
wget https://raw.githubusercontent.com/moby/profiles/refs/tags/seccomp/v0.1.0/seccomp/default.json \
    -O profile.json

# Remove mkdir and mkdirat system calls from the profile
sed -i '/"mkdir"/d' profile.json
sed -i '/"mkdirat"/d' profile.json


# create a container with a Seccomp profile
docker run -d -it --security-opt seccomp=profile.json --name seccomp-container alpine tail -f /dev/null

Now, try to create a directory inside the container:

# run the mkdir command
docker exec -it seccomp-container mkdir test

You will get an error message:

mkdir: cannot create directory 'test': Operation not permitted

If we reuse the default profile without removing the mkdir and mkdirat system calls, the command will succeed:

# Download the default Seccomp profile again
wget https://raw.githubusercontent.com/moby/profiles/refs/tags/seccomp/v0.1.0/seccomp/default.json \
    -O profile.json

# create a container with the default Seccomp profile
docker run -d -it \
  --security-opt seccomp=profile.json \
  --name seccomp-container-2 alpine \
  tail -f /dev/null

# run the mkdir command
docker exec -it seccomp-container-2 mkdir test

# list the directory to confirm the folder was created
docker exec -it seccomp-container-2 ls

To obtain the comprehensive list of system calls that can be managed using seccomp in Linux, you can install and use auditd.

apt update && apt install auditd -y
ausyscall --dump

The seccomp (secure computing mode) profile can be customized to block or allow specific system calls based on your security requirements. Seccomp is a Linux kernel feature that restricts which system calls (syscalls) a process is allowed to make. Indeed, every program eventually talks to the kernel via syscalls. Therefore, file access, networking, process creation, memory management, time, signals - all go through syscalls. If a syscall is blocked, the kernel stops it before it does anything.

Seccomp doesn't understand commands like curl, python or git. It only understands syscalls like openat, read, write, mkdirat, clone, etc. Open the file and you'll see something like this (simplified):

{

Painless Docker - 2nd Edition

A Comprehensive Guide to Mastering Docker and its Ecosystem

Enroll now to unlock all content and receive all future updates for free.

Unlock now  $31.99$25.59

Hurry! This limited time offer ends in:

To redeem this offer, copy the coupon code below and apply it at checkout:

Learn More
Previous Next