Custom Seccomp Profile

dnpuneeth3 · November 1, 2022, 1:53pm

Output of the amicontained when used RuntimeDefault Seccomp.

Container Runtime: docker
Has Namespaces:
        pid: true
        user: false
AppArmor Profile: unconfined
Capabilities:
Seccomp: filtering
Blocked Syscalls (69):
        SYSLOG SETUID SETGID SETSID SETREUID SETREGID SETGROUPS SETRESUID SETRESGID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL CHROOT ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL MIGRATE_PAGES FUTIMESAT UNSHARE MOVE_PAGES UTIMENSAT PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT SETNS PROCESS_VM_READV PROCESS_VM_WRITEV KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF USERFAULTFD PKEY_MPROTECT PKEY_ALLOC PKEY_FREE
Looking for Docker.sock

Based on the above result, i created the custom profile as below

{

    "defaultAction": "SCMP_ACT_ALLOW",

    "architectures": [

        "SCMP_ARCH_X86_64",

        "SCMP_ARCH_X86",

        "SCMP_ARCH_X32"

    ],

    "syscalls": [

        {

            "names": [

"MSGRCV",
"SYSLOG",
"SETUID",
"SETGID",
"SETSID",
"SETREUID",
"SETREGID",
"SETGROUPS",
"SETRESUID",
"SETRESGID",
"USELIB",
"USTAT",
"SYSFS",
"VHANGUP",
"PIVOT_ROOT",
"_SYSCTL",
"CHROOT",
"ACCT",
"SETTIMEOFDAY",
"MOUNT",
"UMOUNT2",
"SWAPON",
"SWAPOFF",
"REBOOT",
"SETHOSTNAME",
"SETDOMAINNAME",
"IOPL",
"IOPERM",
"CREATE_MODULE",
"INIT_MODULE",
"DELETE_MODULE",
"GET_KERNEL_SYMS",
"QUERY_MODULE",
"QUOTACTL",
"NFSSERVCTL",
"GETPMSG",
"PUTPMSG",
"AFS_SYSCALL",
"TUXCALL",
"SECURITY",
"LOOKUP_DCOOKIE",
"CLOCK_SETTIME",
"VSERVER",
"MBIND",
"SET_MEMPOLICY",
"GET_MEMPOLICY",
"KEXEC_LOAD",
"ADD_KEY",
"REQUEST_KEY",
"KEYCTL",
"MIGRATE_PAGES",
"FUTIMESAT",
"UNSHARE",
"MOVE_PAGES",
"UTIMENSAT",
"PERF_EVENT_OPEN",
"FANOTIFY_INIT",
"NAME_TO_HANDLE_AT",
"OPEN_BY_HANDLE_AT",
"SETNS",
"PROCESS_VM_READV",
"PROCESS_VM_WRITEV",
"KCMP",
"FINIT_MODULE",
"KEXEC_FILE_LOAD",
"BPF",
"USERFAULTFD",
"PKEY_MPROTECT",
"PKEY_ALLOC",
"PKEY_FREE"

            ],

            "action": "SCMP_ACT_ERRNO"

        }

    ]

}

I blacklisted the syscalls which i got in amicontained output. After applying the custom profile below is the output of amicontained

Container Runtime: docker
Has Namespaces:
        pid: true
        user: false
AppArmor Profile: unconfined
Capabilities:
Seccomp: filtering
Blocked Syscalls (25):
        SYSLOG SETUID SETGID SETSID SETREUID SETREGID SETGROUPS SETRESUID SETRESGID VHANGUP PIVOT_ROOT ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME INIT_MODULE DELETE_MODULE FUTIMESAT UTIMENSAT OPEN_BY_HANDLE_AT FINIT_MODULE BPF
Looking for Docker.sock

This time it blocked only 25 syscalls eventhough i defined all of the 69 syscalls that need to be blocked in the profile.

Why it blocked only 25 syscalls ?

trung-kodekloud · November 1, 2022, 3:37pm

Hello @dnpuneeth3 ,

How did you apply the seccomp profile?

Thanks,
Trung.

dnpuneeth3 · November 1, 2022, 4:49pm

Created custom seccomp profile under /var/lib/kubelet/seccomp/profiles directory in all of the worker nodes.

Tej-Singh-Rana · November 2, 2022, 2:02pm

Hi @dnpuneeth3,
Where are you running these tests?

dnpuneeth3 · November 4, 2022, 3:10pm

I copied amicontained binary into the pod and executed the binary in the container.