SECCOMP inside a docker container adds an extra layer of security?

Does hardening with SECCOMP a binary running inside a Docker container brings extra security? I can find many articles/papers about hardening the container itself but very few things about hardening binaries inside the container.
SECCOMP w… Continue reading SECCOMP inside a docker container adds an extra layer of security?

Syscalls are disabled with seccomp. What attacks are still possible? How to prevent them?

I want to run a piece of untrusted code on my machine.
I’ve disabled all syscalls (besides exit, sigreturn, read and write) with seccomp for a process. Now, I’d like to spawn a child process that will execute the untrusted code.

What atta… Continue reading Syscalls are disabled with seccomp. What attacks are still possible? How to prevent them?

Is it possible to use systemd seccomp filtering for running applications from command line?

Example systemd unit file, what I mean by “seccomp”.

ProtectSystem=full
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
MemoryDenyWrite… Continue reading Is it possible to use systemd seccomp filtering for running applications from command line?