+420 774 447 953   [email protected]
The cart is empty

Using Seccomp Rules to Limit System Calls Docker Containers Can Utilize on CentOS 7

Securing containers to be resilient against attacks exploiting system calls is crucial in today's landscape. One way to achieve this is by utilizing Seccomp (Secure Computing Mode), which allows restricting the system calls a process can make. This article elucidates how to implement Seccomp rules for Docker containers running on CentOS 7.

Prerequisites

Before you commence, ensure you have:

  • CentOS 7 operating system installed.
  • Docker installed, with support for Seccomp.

Installation and Configuration of Docker

  1. Docker Installation: Employ the yum install docker command to install Docker on your CentOS 7 system.
  2. Launching Docker: After installation, start the Docker service using systemctl start docker and enable automatic start at boot using systemctl enable docker.

Basics of Seccomp

Seccomp (Secure Computing Mode) is a Linux security mechanism that restricts available system calls for a process, significantly enhancing security by minimizing the attack surface.

Creating a Seccomp Profile

  1. Default Profile: Docker automatically uses a default Seccomp profile, which is sufficiently secure for most applications. However, you may want to create a custom profile for your application's specific needs.
  2. Creating a Custom Profile: A Seccomp profile is a JSON file that defines which system calls are allowed and which are disallowed. To create a custom profile, create a file named my_seccomp_profile.json and define rules as required.

Example Seccomp Profile:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X86_64"
  ],
  "syscalls": [
    {
      "names": [
        "clone",
        "execve"
      ],
      "action": "SCMP_ACT_ALLOW",
      "args": []
    },
    {
      "names": [
        "chmod",
        "chown"
      ],
      "action": "SCMP_ACT_ERRNO",
      "args": []
    }
  ]
}

In this profile, system calls clone and execve are allowed, while chmod and chown are disallowed.

Using a Seccomp Profile with Docker Container

While launching a Docker container, you can use a custom Seccomp profile using the --security-opt flag. For example:

docker run --rm -it --security-opt seccomp=my_seccomp_profile.json ubuntu bash

This command runs a container with the Ubuntu image and applies the Seccomp rules defined in your profile.

 

Employing Seccomp rules to limit system calls in Docker containers is an effective method to enhance the security of your applications. By creating custom Seccomp profiles, you can achieve precise security tailored to your application's requirements. On CentOS 7, this process is straightforward and easily integrable into your development lifecycle.

 

 

Best sellers

2,6 €

1,5 €

29 €

32 €