Seccomp Profiles for System Call Filtering

Seccomp Profiles for System Call Filtering

Secure Computing Mode (seccomp) filters system calls available to containers. System call filtering prevents containers from executing potentially dangerous operations even if they have appropriate capabilities. Docker's default seccomp profile blocks many dangerous system calls while allowing common operations. Custom profiles can further restrict system calls based on application requirements.

Creating custom seccomp profiles requires understanding application system call patterns. Tools like strace help identify required system calls during development. Seccomp's action types allow graduated responses from logging to immediate termination. Careful testing ensures profiles don't break legitimate application functionality while blocking malicious operations.

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "defaultErrnoRet": 1,
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ],
  "syscalls": [
    {
      "names": [
        "accept",
        "accept4",
        "access",
        "bind",
        "brk",
        "chdir",
        "chmod",
        "chown",
        "close",
        "connect",
        "dup",
        "dup2",
        "epoll_create",
        "epoll_create1",
        "epoll_ctl",
        "epoll_wait",
        "exit",
        "exit_group",
        "fchdir",
        "fchmod",
        "fchown",
        "fcntl",
        "fstat",
        "fsync",
        "futex",
        "getcwd",
        "getdents64",
        "getegid",
        "geteuid",
        "getgid",
        "getpid",
        "getppid",
        "getsockname",
        "getsockopt",
        "gettid",
        "getuid",
        "ioctl",
        "listen",
        "lseek",
        "madvise",
        "mkdir",
        "mmap",
        "mprotect",
        "munmap",
        "nanosleep",
        "open",
        "openat",
        "pipe",
        "poll",
        "pread64",
        "pwrite64",
        "read",
        "readlink",
        "recvfrom",
        "recvmsg",
        "rename",
        "rt_sigaction",
        "rt_sigprocmask",
        "rt_sigreturn",
        "sched_getaffinity",
        "sched_yield",
        "select",
        "sendmsg",
        "sendto",
        "set_tid_address",
        "setgid",
        "setgroups",
        "setsockopt",
        "setuid",
        "shutdown",
        "sigaltstack",
        "socket",
        "stat",
        "statfs",
        "sysinfo",
        "umask",
        "uname",
        "unlink",
        "wait4",
        "write"
      ],
      "action": "SCMP_ACT_ALLOW"
    },
    {
      "names": [
        "clone"
      ],
      "action": "SCMP_ACT_ALLOW",
      "args": [
        {
          "index": 0,
          "value": 2114060288,
          "op": "SCMP_CMP_MASKED_EQ"
        }
      ]
    },
    {
      "names": [
        "kill",
        "tkill",
        "tgkill"
      ],
      "action": "SCMP_ACT_ALLOW",
      "args": [
        {
          "index": 1,
          "value": 0,
          "op": "SCMP_CMP_GT"
        }
      ]
    }
  ]
}

Runtime security policies must balance security with operational requirements. Overly restrictive policies break applications and frustrate developers. Gradual policy tightening allows teams to adapt while improving security. Monitoring policy violations helps identify necessary adjustments without impacting production systems.