Seccomp

Introduction

What is Seccomp?

Secure computing (seccomp) is a security feature of the Linux kernel. It restricts the system calls (syscalls) a process is allowed to make, and can also filter based on their arguments. This limitation reduces the attack surface of the process, mitigating the risk of some types of attacks. It is widely used in Docker and Kubernetes to improve the security of containers.

You can learn more about system calls in our guide.

How do I check if seccomp is enabled?

You can check the kernel's configuration to see if seccomp is enabled (the path may vary depending on the Linux distro):

grep CONFIG_SECCOMP /boot/config-$(uname -r)

CONFIG_SECCOMP=y: the basic seccomp mechanism (strict mode) is enabled. Strict mode only permits read, write, exit, and sigreturn.
CONFIG_SECCOMP_FILTER=y: BPF-based syscall filtering is enabled. This mode allows defining custom filter rules and is required by Docker and Kubernetes.

Seccomp in Docker

How does Seccomp work in Docker?

Seccomp is enabled in Docker by default. Docker's default seccomp profile uses an allowlist approach:

First, it denies all syscalls.
Then, it explicitly permits the syscalls containers typically need, blocking many syscalls.

How can I know which seccomp profile is used by default in my Docker installation?

You can inspect Docker's security options to see which seccomp profile is used by default:

docker info -f '{{ .SecurityOptions }}'

By default, the output lists all enabled security options. Among them, name=seccomp,profile=builtin shows that seccomp is enabled with the default (builtin) profile.

How do I know which seccomp profile a container is using?

You can inspect the container's security options to see which seccomp profile it is using:

docker inspect CONTAINER_NAME -f '{{ .HostConfig.SecurityOpt }}'

If the output is [], the default seccomp profile was not overridden by the container when it was created.

Can I create a container that uses a custom seccomp profile?

Yes, you just have to provide the --security-opt flag with the path to the seccomp profile file (in JSON format) you want to use. Replace my_seccomp_profile.json with the actual path to your seccomp profile:

docker run --name seccomp-custom-profile -d --security-opt seccomp=my_seccomp_profile.json alpine sh -c 'sleep infinity'

You can inspect the container's security options to verify it:

docker inspect seccomp-custom-profile -f '{{ .HostConfig.SecurityOpt }}'

Can I disable seccomp for a container?

It's not recommended to disable seccomp for a container as it will negatively impact its security.

Yes, although this is not recommended. You can disable seccomp for a container using the --security-opt flag with the value unconfined when creating the container:

docker run --name seccomp-disabled -d --security-opt seccomp=unconfined alpine sh -c 'sleep infinity'

You can verify it worked by inspecting the security options of the container:

docker inspect seccomp-disabled -f '{{ .HostConfig.SecurityOpt }}'

The output will show that seccomp is disabled: [seccomp=unconfined]

More info

Man pages:

man 2 seccomp

External links:

Guides