Seccomp (Secure computing mode) is a linux kernal feature used to restrict the system calls of an application to the kernal. Why do we need this feautre? An application doesn’t need access to all system calls which linux kernal provides, so if we keep access to other system calls then we are widening the attack surface.

How syscall works in linux

In linux, kernal is the core software component which make calls to the computer hardware components. The kernal has two areas in its space. One is user space where the application or processes run and another one is the linux kernal which has the device drivers and kernal code. The application/process runs in user space communicate to the linux kernal using the systemcall. We could use the tool strace to analyze the system call made by an application.

eg: strace -c ls /var/log

There are more than 400 system calls in linux which can be be used by the applications for the device and networking related tasks. Since the applications are built for specific tasks, it may not need to make use of these many syscalls. We could check whether the seccomp application is installed in the linux box by checking the boot configuration. The below command could be used to check the boot configuration. If the below command prints CONFIG_SECCOMP=Y then we could confirm that the seccomp is supported by the linux kernal.

grep -i seccomp /boot/config-$(uname -r) # uname command is used to print the basic system information.

How do I check my processes are sandboxed by seccomp?

We could check the seccomp flag associated with the process by running the below command.

grep Seccomp /proc/<pid>/status

Here the pid the process id of the program eg: sh. We could run ps -ef command to find the pids of running processes.

• 0: Seccomp is not enabled.
• 1: Seccomp runs in the “strict mode”.
• 2: Seccomp-bpf is enabled

How could we use seccomp in contrainer environment to control the syscalls

The docker environment has built-in seccomp filter but the host kernal should support the seccomp. You could check here for the default seccomp profile. A seccomp profile consits of three sections. 1) architecture of the system 2) syscalls that has to be handled (allow or deny) 3) the default action that has to be taken if seccomp finds a syscall that is not part of the syscalls array. The below command runs a docker container which overrides the default seccomp profile and uses an user provided profile.

docker run --rm \
             -it \
             --security-opt seccomp=/path/to/seccomp/profile.json \
             hello-world

In case we need to disable the seccomp filtering in docker container use the option –security-opt seccomp=unconfined. We recommend never to use this one in production environment.

How could we configure seccomp in kubernetes

By default seccomp is not enabled in kubernetes. This can be enabled by using the securityContext section in the pod or container spec. The below configuration enables the default seccomp filter profile.

spec:
  securityContext:
    seccompProfile: 
      type: RuntimeDefault

The default location where we could place the custom seccomp profile is /var/lib/kubelet/seccomp. Usally a diractory called profiles is created inside the seccomp directory to store the custom profiles. Once the custom profile is added to the profiles directory the above definition could be modified to use the custom profile.

spec:
  securityContext:
    seccompProfile: 
      type: Localhost
      localhostProfile: profiles/custom.json

In order to prevent the container which runs inside the container to override the seccomp profile of the pod we need to add the configuration allowPrivilegeEscalation: false in the container level of the pod definition file.

  securityContext:
    allowPrivilegeEscalation: false

In case if we want to explicitly disable seccomp for a pod or container use configure the seccompProfile type Unconfined.

spec:
  securityContext:
    seccompProfile: 
      type: Unconfined

Please note that the seccomp is disabled in the containers running in privileged mode.

Conclusion

In this article, we have gone through the basic information on seccomp that is required to prepare for the CKS exam.