Using seccomp to Lock Down Container Privileges in Linux

Introduction to seccomp

I’ve seen seccomp, short for “secure computing,” become an essential tool in my Linux toolkit. It’s a Linux kernel feature that lets you filter system calls, effectively limiting what a process can do. This is especially useful when running containers - it helps prevent a compromised container from causing damage to the host system. In this article, I’ll explore how to use seccomp to lock down container privileges in Linux.

Understanding seccomp Profiles

A seccomp profile is basically a set of rules that define which system calls are allowed or denied for a process. These profiles can be applied to a process or a container, restricting its capabilities. There are two types of seccomp profiles:

• Filter: Allows you to specify which system calls are allowed or denied.
• Trap: Allows you to specify which system calls should trigger a signal when called.

To create a seccomp profile, you can use the seccomp command-line tool or write a profile in a specific format. The profile format is based on the Berkeley Packet Filter (BPF) syntax. Don’t bother with the BPF syntax unless you really need to - the seccomp tool makes it easy to create profiles.

Creating a seccomp Profile

Let’s create a simple seccomp profile that denies the execve system call, which is used to execute a new program. This can help prevent a container from running arbitrary commands.

# Create a new file for the seccomp profile
echo "deny execve" > seccomp.json

This profile uses the deny keyword to block the execve system call. I usually start with a simple profile like this and then add more rules as needed.

Applying a seccomp Profile to a Container

To apply the seccomp profile to a container, you can use the --security-opt flag with the docker run command. Here’s an example:

# Run a container with the seccomp profile applied
docker run --security-opt seccomp=seccomp.json -it ubuntu /bin/bash

In this example, the seccomp.json profile is applied to the container, denying the execve system call. The real trick is to find the right balance between security and functionality - you don’t want to deny access to necessary system calls.

Using seccomp with Podman

If you’re using Podman instead of Docker, you can apply a seccomp profile using the --security-opt flag as well:

# Run a container with the seccomp profile applied using Podman
podman run --security-opt seccomp=seccomp.json -it ubuntu /bin/bash

Troubleshooting seccomp Issues

When working with seccomp, you may encounter issues where a container is denied access to a system call. To troubleshoot these issues, you can use the strace command to see which system calls are being made and which ones are being denied.

# Run strace on a container to see system calls
strace -f -v docker run -it ubuntu /bin/bash

This will show you the system calls being made by the container, helping you identify which calls are being denied. This is where people usually get burned - they don’t test their seccomp profiles thoroughly enough.

Security Considerations

When using seccomp to lock down container privileges, it’s essential to consider the security implications. A well-crafted seccomp profile can help prevent a compromised container from causing damage to the host system. However, a poorly crafted profile can lead to unintended consequences, such as denying access to necessary system calls. In practice, it’s all about finding the right balance between security and functionality.

To learn more about seccomp and its usage, you can visit the official Linux kernel documentation.

Best Practices for seccomp Profiles

When creating seccomp profiles, it’s essential to follow best practices to ensure they are effective and secure. Here are some tips:

• Keep your profiles simple and focused on specific use cases.
• Use the deny keyword to block unnecessary system calls.
• Test your profiles thoroughly to ensure they don’t deny access to necessary system calls.
• Use tools like strace to troubleshoot issues with your profiles.

By following these best practices and using seccomp effectively, you can help lock down container privileges and improve the security of your Linux systems.

See also

• Hardening SSH with Linux Kernel's Built-in Features and a Few Surprising sysctl Tweaks
• Hardening Your Linux Desktop with Mandatory Access Control and a Little Bit of Common Sense
• Hardening Your Linux Desktop with Mandatory Access Control and Namespace Isolation
• Using Mandatory Access Control to Lock Down Your Linux Desktop with AppArmor
• Hardening Your Linux Laptops for Coffee Shop Combat: Firewall Rules and Network Profiles for the Paranoid Traveler