antiTree | posts and projects
posted by antitree on Sep 11, 2017

This is a follow up from the Custom Seccomp profile post which went through some of the background information.

Speed up custom seccomp profile generation with Syscall2seccomp

You can always manually track down the syscalls that your application makes, and build a custom seccomp profile for your Docker container, but I’ve created the tool syscall2seccomp that helps speed the profile building process up. It takes the output from sysdig or strace and converts it to a usable Docker profile. It’s up to you to customize it from there.

Here’s an example of the flow:

Sysdig for syscalls:

sudo sysdig container.name=myexamplenginx > nginx.sysdig

Here’s a snip of the output from using Sysdig on an Nginx container:

257606 14:28:33.038284292 0 runc:[2:INIT] (27609) < clone res=0 exe=/proc/self/exe args=init. tid=27609(runc:[2:INIT]) pid=27608(runc:[1:CHILD]) ptid=27605(docker-runc) cwd= fdlimit=1048576 pgft_maj=0 pgft_min=0 vm_size=25604 vm_rss=2420 vm_swap=0 comm=runc:[2:INIT] cgroups=cpuset=/docker/f162a2858653e86e6572294f13b3d7188e7e6760c08d9711a68201ef109ead... flags=47619(CLONE_FILES|CLONE_FS|CLONE_PARENT_SETTID|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_THREAD|CLONE_VM) uid=0 gid=0 vtid=2 vpid=1(systemd)
257609 14:28:33.038295469 0 runc:[2:INIT] (27609) > set_robust_list
257610 14:28:33.038295908 0 runc:[2:INIT] (27609) < set_robust_list
257611 14:28:33.038297912 0 runc:[2:INIT] (27609) > <unknown>
257612 14:28:33.038298202 0 runc:[2:INIT] (27609) < <unknown>
257613 14:28:33.038298439 0 runc:[2:INIT] (27609) > <unknown>
257614 14:28:33.038298639 0 runc:[2:INIT] (27609) < <unknown>
257615 14:28:33.038298847 0 runc:[2:INIT] (27609) > gettid
257616 14:28:33.038299049 0 runc:[2:INIT] (27609) < gettid
257617 14:28:33.038299496 0 runc:[2:INIT] (27609) > rt_sigprocmask
257618 14:28:33.038299910 0 runc:[2:INIT] (27609) < rt_sigprocmask
257619 14:28:33.038300396 0 runc:[2:INIT] (27609) > select
257620 14:28:33.038303160 0 runc:[2:INIT] (27609) > switch next=0 pgft_maj=0 pgft_min=0 vm_size=25604 vm_rss=3148 vm_swap=0
257640 14:28:33.038355828 0 runc:[2:INIT] (27610) < clone res=0 exe=/proc/self/exe args=init. tid=27610(runc:[2:INIT]) pid=27608(runc:[1:CHILD]) ptid=27605(docker-runc) cwd= fdlimit=1048576 pgft_maj=0 pgft_min=0 vm_size=33800 vm_rss=3148 vm_swap=0 comm=runc:[2:INIT] cgroups=cpuset=/docker/f162a2858653e86e6572294f13b3d7188e7e6760c08d9711a68201ef109ead... flags=47619(CLONE_FILES|CLONE_FS|CLONE_PARENT_SETTID|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_THREAD|CLONE_VM) uid=0 gid=0 vtid=3 vpid=1(systemd)
257645 14:28:33.038362492 0 runc:[2:INIT] (27610) > set_robust_list
257646 14:28:33.038362779 0 runc:[2:INIT] (27610) < set_robust_list
257647 14:28:33.038363678 0 runc:[2:INIT] (27610) > <unknown>
257648 14:28:33.038363929 0 runc:[2:INIT] (27610) < <unknown>
257649 14:28:33.038364150 0 runc:[2:INIT] (27610) > <unknown>
257650 14:28:33.038364346 0 runc:[2:INIT] (27610) < <unknown>
257651 14:28:33.038364547 0 runc:[2:INIT] (27610) > gettid
257652 14:28:33.038364771 0 runc:[2:INIT] (27610) < gettid
257653 14:28:33.038365261 0 runc:[2:INIT] (27610) > rt_sigprocmask
257654 14:28:33.038365569 0 runc:[2:INIT] (27610) < rt_sigprocmask
257656 14:28:33.038367165 0 runc:[2:INIT] (27610) > select

full file

Convert Sysdig to Seccomp JSON

The above file can then be converted to a working custom seccomp profile named “nginx.json”:

python3 ./syscall2seccomp.py -s nginx.sysdig > nginx.json

Which looks like this:

{
    "syscalls": [
        {
            "action": "SCMP_ACT_ALLOW",
            "name": "",
            "args": [],
            "names": [
                "unlink",
                "chown",
                "epoll_wait",
                "sendmsg",
                "socket",
                "chdir",
...

full file

Running the profile

Apply your file to the container which needs the absolute path.

docker run --security-opt seccomp=$PWD/nginx.json nginx

Results

You may think that because I spent the time to write a tool to speed up the process of building custom seccomp Docker profiles, that I would recommend that you use it in your environment. No! If anything, it’s to show that even with tools that speed it up, you should never use custom seccomp profiles. If, by some miracle, there are changes that make using per-container seccomp profiles reasonable, then this tool will be ready. In the mean time, consult your orchestration tool of choice for how best to apply security controls at scale.

So yes, you’ve just read through a three part answer to why specifically you should not use custom seccomp profiles per-container in Docker.