Skip to main content

Configure a Custom Seccomp Profile

Hands-On Lab

 

Photo of

Training Architect

Length

00:45:00

Difficulty

Intermediate

In this lab, we need to create a custom seccomp profile which has a default action to allow system calls to occur and bans certain listed system calls. After that, we need to run a test container with our seccomp profile. With that, we will need to conduct some tests to see if the calls on the list were banned or not.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configure a Custom Seccomp Profile

Introduction

In this lab, we need to create a custom seccomp profile which has a default action to allow system calls to occur and bans certain listed system calls. After that, we need to run a test container with our seccomp profile. With that, we will need to conduct some tests to see if the calls on the list were banned or not.

Connecting to the Lab

  1. Begin by logging in to the lab server using the credentials provided on the hands-on lab page.

    ssh cloud_user@PUBLIC_IP_ADDRESS

Check Seccomp Capabilities

  1. Check the capabilities by running the following command.

    grep SECCOMP /boot/config-$(uname -r)
  2. Verify the output matches the following.

    CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
    CONFIG_SECCOMP_FILTER=y
    CONFIG_SECCOMP=y

Create Our Own Policy and Override the Default Seccomp Profile

  1. Create and open a profile.

    vim /home/cloud_user/myProfile.json
  2. Paste the following into the file.

    {
      "defaultAction": "SCMP_ACT_ALLOW",
      "architectures": [
          "SCMP_ARCH_X86_64"
      ],
      "syscalls": [
        {
          "name": "chmod",
          "action": "SCMP_ACT_ERRNO"
        },
        {
          "name": "fchmod",
          "action": "SCMP_ACT_ERRNO"
        },
        {
          "name": "fchmodat",
          "action": "SCMP_ACT_ERRNO"
        },
        {
          "name": "mkdir",
          "action": "SCMP_ACT_ERRNO"
        }
      ]
    }
  3. Save the changes to the file and exit the editor.

Run a Container with a Custom Seccomp Profile

  1. Run Docker with the specific profile.

    sudo docker run --rm -it --security-opt seccomp=/home/cloud_user/myProfile.json debian:jessie sh

Test the Restrictions within the Container

  1. Try to create a directory and verify the action is denied.

    mkdir test
  2. Try to create a file. This should be permitted.

    touch testFile
  3. Verify the existence of the file.

    ls
  4. Try to change permissions on the file and verify this action is denied.

    chmod +x testFile

Conclusion

Congratulations, you've completed this hands-on lab!