Docker and seccomp - Mon, Feb 14, 2022
How to change the seecomp profile for docker
How to adjust the seccomp profile for dokcer
After a recent docker upgrade, I found myself unable to run any container:
# docker run -ti centos bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "error adding seccomp filter rule for syscall clone3: permission denied": unknown.
Although in the end the problem was related to some old binary of runc
still in the PATH
, I got nevertheless interested in what this was all about. In this blog post I will take a look into what seccomp
actually is and how to grant docker additional permissions.
What is seccomp and The default profile ?
From wikipedia :
seccomp is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition […] where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process
So it’s a security feature which in case of docker restricts the amount of system calls
. Since docker needs more than just the commands mentioned above, there is a default profile
which allows specific system calls.
Since the documentation did not state clone3
as being blocked I took a look at the actual default profile located here
. And indeed clone3
was restricted:
"names": [
"clone3"
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 38,
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
]
}
So granting docker additional permissions to syscalls should be possible by modifying the default profile.
Allowing additional syscalls
I used Fedora with docker running as a systemd service
. This installation used the default profile implicitly. So the first step was to download the default profile and configure the docker daemon to use it.
The docker daemon can be configured
by altering the json file /etc/docker/daemon.json
. So I added the seccomp-profile
directive to point to my new local profile:
"seccomp-profile": "/etc/docker/default-profile.json"
A list of all available configuration options can be found here
.
Then I removed clone3
from the list of restricted syscalls, restarted the daemon and the docker run
command worked perfectly. Problem solved.
Using the unconfined profile
Above modifications allow for a fine grained access control. I you want to bypass the seccomp profile altogether you can use the unconfined
profile:
# docker run -ti centos --security-opt seccomp=unconfined bash
Although the deamon configuration does not allow for specifying this profile.
Be careful though. Allowing unconfined access to the host system might cause harm when running unknown containers
Conclusion
Granting docker containers additional permissions can be done by configuring the Seccomp profile
. When running docker as a systemd daemon, the file etc/docker/daemon.json
can be used to specify a different profile
. But as always care should be taken not to grant containers to much permissions.