Kessy:
Hello all, I understood how to implement AppArmor and Seccomp in a Kubernetes context, but i still have a big question which is : What is the real difference between Syscalls and linux capabilities ? If anyone can help i will be happy. Thanks
Priyanshu:
@Kessy in laymen’s term syscall is what function calls made by any command to kernel, like how many calls made by touch command to kernel for creation of a file. Linux capabilities is what capabilities is allowed to perform by a user or system, like if it can create a file or not.
If system has a linux capability of creating file then it can execute command. Then what calls made by command to kernel for successful execution is called syscall…
@unnivkn hope I am right!!
unnivkn:
Linux Capabilities:
The Linux capabilities feature breaks up the privileges available to processes run as the root user into smaller groups of privileges. This way a process running with root privilege can be limited to get only the minimal permissions it needs to perform its operation. Docker supports the Linux capabilities as part of the docker run command: with --cap-add and --cap-drop. By default, a container is started with several capabilities that are allowed by default and can be dropped. Other permissions can be added manually. Both --cap-add and --cap-drop support the ALL value, to allow or drop all capabilities.
Limiting syscalls with seccomp:
Secure Computing Mode (seccomp) is a kernel feature that allows you to filter system calls to the kernel from a container. The combination of restricted and allowed calls are arranged in profiles, and you can pass different profiles to different containers. Seccomp provides more fine-grained control than capabilities, giving an attacker a limited number of syscalls from the container.
System Calls:
Applications run in what’s called user space, which has a lower level of privilege than the operating system kernel. If an application wants to do something like access a file, communicate using a network, or even find the time of day, it has to ask the kernel to do it on the application’s behalf. The programmatic interface that the user space code uses to make these requests of the kernel is known as the system call or syscall interface.
There are some 300+ different system calls, with the number varying according to the version of Linux kernel. …