In this lab, we need to create a custom seccomp profile which has a default action to allow system calls to occur and bans certain listed system calls. After that, we need to run a test container with our seccomp profile. With that, we will need to conduct some tests to see if the calls on the list were banned or not.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Check Seccomp Capabilities
grep SECCOMP /boot/config-$(uname -r)Expected output:
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP=y- Create Our Own Policy and Override the Default Seccomp Profile
vim /home/cloud_user/myProfile.json{ "defaultAction": "SCMP_ACT_ALLOW", "architectures": [ "SCMP_ARCH_X86_64" ], "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" }, { "name": "fchmod", "action": "SCMP_ACT_ERRNO" }, { "name": "fchmodat", "action": "SCMP_ACT_ERRNO" }, { "name": "mkdir", "action": "SCMP_ACT_ERRNO" } ] }ESC :wq ENTER- Run a Container with a Custom Seccomp Profile
sudo docker run --rm -it --security-opt seccomp=/home/cloud_user/myProfile.json debian:jessie sh- Test the Restrictions within the Container
The following should be denied.
mkdir testExpected output:
mkdir: cannot create directory 'test': Operation not permittedThe following should work.
touch testFileThe following should be denied.
chmod +x testFileExpected output:
chmod: changing permissions of 'testFile': Operation not permitted
