Skip to content

Instantly share code, notes, and snippets.

@BenHall

BenHall/gist:e6432815663a7996b955726b3c4eb67a

Created May 10, 2016 14:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save BenHall/e6432815663a7996b955726b3c4eb67a to your computer and use it in GitHub Desktop.
Save BenHall/e6432815663a7996b955726b3c4eb67a to your computer and use it in GitHub Desktop.
Download ZIP
seccomp not applying?
Raw
gistfile1.txt
Given this profile:
```
cat b.json
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO",
"args": []
},
{
"name": "chown32",
"action": "SCMP_ACT_ERRNO",
"args": []
}
]
}
```
I would have expected the following container to fail as seccomp has blocked seccomp.
```
> docker run --rm -it --security-opt seccomp:b.json ubuntu chmod 400 /etc/hostname
> echo $?
0
```
@BenHall
Copy link
Author

BenHall commented May 10, 2016

Behaviour on a different machine. Seccomp is only being applied if I set a user too.

> sudo docker run --rm -it -u 1000 --security-opt seccomp:b.json ubuntu chmod 400 /etc/hostname
chmod: changing permissions of '/etc/hostname': Operation not permitted

> sudo docker run --rm -it  --security-opt seccomp:b.json ubuntu chmod 400 /etc/hostname
> echo $?
0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment