Hardening Docker Container Using Seccomp Security Profile

jimaek

Dmitriy A.

Posted on May 31, 2020

Hardening Docker Container Using Seccomp Security Profile

Secure Computing Mode, also known as Seccomp, is a Linux kernel feature that improves several security features to help run Docker in a more secure environment.

It is more like a sandbox environment that not only acts as a firewall for syscalls but also enables you to restrict the actions available within the Docker containers to the host’s Linux kernel.

In this guide, you will learn how to run a container with and without the Seccomp profile.

Prerequisites

To get started with this guide, you need the following:

  • A Linux host with sudo privileges.
  • Seccomp enabled in Linux Kernel.
  • Latest Docker

To verify if your host’s kernel support Seccomp, run the following command in your host’s terminal:

$ grep SECCOMP /boot/config-$(uname -r)

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y 

Alternatively, you can also run:

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

CONFIG_SECCOMP=y

In both ways, you see CONFIG_SECCOMP=y in your host terminal window. It means it does supports it.

Back in 2016, with version 1.10, Docker had applied a default Seccomp profile. Since then, the profile kept on updating, and now, it has 51 system calls or syscalls and doesn’t make to default whitelist and is effectively blocked. However, you can use your custom profile to unblock the desired syscalls, which we will cover later in this guide.

Now there are a couple of ways to run Docker container with a Seccomp profile, either you can run a docker container with the default profile through the command line, or specify a specific custom profile in .json format, or you can specify your Seccomp profile in Daemon configuration file.

Default Seccomp Profile:

If you didn’t specify a Seccomp profile, then Docker uses built-in Seccomp and Kernel configuration. To check this, you can run the following command:

$ docker run -it --rm --name alpine-test alpine /bin/sh

Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
e6b0cf9c0882: Pull complete 
Digest: sha256:2171658620155679240babee0a7714f6509fae66898db422ad803b951257db78
Status: Downloaded newer image for alpine:latest

To see if Seccomp filter is loaded inside the Alpine container:

/ # grep Seccomp /proc/$$/status

Seccomp:    2

Here you have grep the pseudo-filesystem to access the kernel data, which indicates that default Seccomp filter was applied inside the running container.

Custom Seccomp Profile:

There are scenarios where you want to override the default profile, which gives you extra control and capabilities to play with. In the following example, you are going to use your own custom profile.

We are going to download Docker’s official default profile and make changes to it:

$ wget https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json -O /path/to/file/your-custom-profile.json

Once you have the .json file with you, it’s time to make changes to the file your-custom-profile.json. For this guide, we are simply going to restrict mkdir command inside the container. To do this, open the file and find mkdir system call, and remove all the references to the mkdir in the file, which could look something like this:

...     
    {
            "name": "mkdir",
            "action": "SCMP_ACT_ALLOW",
            "args": []
    },
... 

Once you edit the profile, try to run the Docker container with it:

$ docker run -it --rm --security-opt seccomp=/path/to/file/your-custom-profile.json --name alpine-custom-seccomp alpine /bin/sh
/ # mkdir test
mkdir: can't create directory 'test': Operation not permitted
/ #

The newly created profile container doesn’t allow you to run the mkdir syscall.

This way, you can create your own custom profile and make changes to it as per your requirement, as there are a number of opreations which you can restrict like chown, chmod and so on..

Run Container without Seccomp:

For some reason, if you wish to run a container without Seccomp profile, then you can override this by using --security-opt flag with unconfined flag:

$ docker run -it --rm --security-opt seccomp=unconfined --name alpine-wo-seccomp alpine /bin/sh

To see if your docker container runs without Seccomp profile, use this:

/ # grep Seccomp /proc/$$/status

Seccomp:    0

You will see Seccomp: 0, which means the container is running without the default Seccomp profile. Note that it is not recommended to do unless you know what you are doing, as a certain security loop-hole will be wide open and can be exploited.

Alternatively, you can use --privileged flag, which can also disable the Seccomp, even if you specify the custom Seccomp profile.

💖 💪 🙅 🚩
jimaek
Dmitriy A.

Posted on May 31, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related