Modify Seccomp Profile of a Container

45 minutes
  • 3 Learning Objectives

About this Hands-on Lab

For this lab, we need to modify a seccomp profile of a container. We must first create a container with an Ubuntu 18.04 image. Then we need to modify a seccomp profile for the container to not allow the following syscalls: `mkdir`, `chmod`, and `chown`. Lastly, we need to run tests to verify the calls have been blocked.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Container with an Ubuntu 18.04 Image
lxc launch ubuntu:18.04 my-test-container
Modify Seccomp Profile for the Container to Not Allow mkdir, chmod, or chown

Edit the seccomp profile for my-test-container.

sudo vim /var/lib/lxd/security/seccomp/my-test-container
mkdir errno 38
mkdirat errno 38
chmod errno 38
fchmod errno 38
fchmodat errno 38
chown errno 38
fchown errno 38
lchown errno 38
fchownat errno 38
ESC
:wq
ENTER
Run Tests to Verify the Calls Have Been Blocked
lxc exec my-test-container bash
mkdir test
chown root:root /bin
chmod +x /bin

Additional Resources

Lxd is up and running. Create a container with an Ubuntu 18.04 image, then modify the seccomp profile for the container to exclude all variations of mkdir, chmod, and chown syscalls.

A link to the man pages for Linux syscalls: http://man7.org/linux/man-pages/man2/syscalls.2.html

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?