Collaborate Disseminate
I have started an unprivileged docker container and trying to start the privileged exec session. It has CAP_SYS_MODULE capabilities, but still, I am getting operations not permitted in insmod.
docker start -it -d –name test ubuntu
docker … Continue reading Why I am unable to execute insmod on the docker container?
Does hardening with SECCOMP a binary running inside a Docker container brings extra security? I can find many articles/papers about hardening the container itself but very few things about hardening binaries inside the container.
SECCOMP w… Continue reading SECCOMP inside a docker container adds an extra layer of security?
I am writing a program that creates BPF seccomp filters. These filters are supposed to check syscalls and their arguments against predefined allowed values. The logic to check the syscall by its number works as expected. However, the logic… Continue reading How to dump the input of a seccomp BPF filter?
I want to run a piece of untrusted code on my machine.
I’ve disabled all syscalls (besides exit, sigreturn, read and write) with seccomp for a process. Now, I’d like to spawn a child process that will execute the untrusted code.
From this answer I understand that seccomp-bpf filters the list of syscalls a process can call.
Similarly, the capabilites mechanism will cause a syscall to fail if the caller does not have the capability necessary for that syscall.
What I… Continue reading What additional protection does seccomp provide when compared to capabilites?
I’m trying to implement a simple container. I would like users to be able to specify whitelisted syscalls in a profile.json file.
Example content of profile.json file:
{
“whitelisted_syscalls”: [“read”, “exit”, “write”, “accept”],
}
I would like to create seccomp rules (with https://github.com/david942j/seccomp-tools) to change the call :
write(2,’error’) to write(1’error’)
so redirect the write on stderr to a write on stdout…
I tried this script : … Continue reading How to write Seccomp rules to redirect write stderr to stdout
Example systemd unit file, what I mean by “seccomp”.
ProtectSystem=full
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
MemoryDenyWrite… Continue reading Is it possible to use systemd seccomp filtering for running applications from command line?
I know seccomp (secure computing) is a way to restrict a process from making particular system calls.
While linux capabilities provides a way to give privileges to specific user or process.
So if I want to disable a process from making raw… Continue reading Difference between linux capabities and seccomp
I like lowering my access privilege mid-program (e.g. restrict my program to the current directory and files, disable networking). I imagine this is a pretty common wish.
I would like to be able to do this as a normal user, without the in… Continue reading Opt-in a security profile at runtime, without tedious setup