Have you wondered what a seccomp security profile is, and how it relates to Linux Capabilities? Folks often dismiss seccomp profiles and Capabilities as a way of hardening applications as it is too difficult to determine what syscalls are in use by a given application. In this session we will explore a couple of tools designed to make this more approachable. Come learn about these super powers!

1. ©2020 VMware, Inc.
Seccomp Security
Profiles and You
A practical guide
Duffie Cooley
Staff Cloud Native Architect

2. ©2020 VMware, Inc. @mauilion 2
$ whoami
● Staff Cloud Native Architect at VMware
○
● Host of tgik.io thepodlets.io
● I have been helping folks with Kubernetes since 2016!
● Find me most anywhere as @mauilion

3. ©2020 VMware, Inc. @mauilion 3
What is a Container!

4. ©2020 VMware, Inc. @mauilion 4
How does all this work!
$ info capabilities

5. ©2020 VMware, Inc. @mauilion 5
How does all this work!
Capabilities Grant access to stuff.
seccomp filters or blocks that access in a
granular way.
seccomp should be used in an allow list and
deny list model!
Otherwise you will miss stuff!
There are 345 syscalls in x86_64 arch as of
kernel 5.8.0-rc3
ref: fedora.juszkiewicz.com.pl/syscalls.html

6. ©2020 VMware, Inc. @mauilion 6
amicontained
@mauilion

7. ©2020 VMware, Inc. @mauilion 7
What can a Docker Container do?

8. ©2020 VMware, Inc. @mauilion 8
What can a kubernetes pod do?

9. ©2020 VMware, Inc. @mauilion 9
Why are these different!
● Folks like @jessfraz and others did a bunch of research into a
“reasonable” default seccomp profile.
● You can see this work here:
docs.docker.com/engine/security/seccomp/
● Docker still uses this by default!
Kubernetes disables the “default”

10. ©2020 VMware, Inc. @mauilion 10
Why tho?
● Mostly cause of the implementation detail of multiple containers in a
pod
● Each pod is at least 2 containers an infra or “Pause” container and the
container(s) you define.
● The Pause container handles shared things like the network
namespace

11. ©2020 VMware, Inc. @mauilion 11
What do?
● You can set an annotation either at the pod or the container level!
POD
annotations:
seccomp.security.alpha.kubernetes.io/pod: “runtime/default”
Container
annotations:
container.security.alpha.kubernetes.io/<container-name>:
“runtime/default"

12. ©2020 VMware, Inc. @mauilion 12
Why do this stuff at all?
● There are a bunch of attacks against containers that are interesting.
○ Supply Chain attacks.
Where did this container image and it’s deps come from?
○ Exploitable application bugs
Can I get a shell? Did some kind soul leave bash behind?
○ Syscalls in the shared linux kernel
With that shell I got what else can I do?

13. ©2020 VMware, Inc. @mauilion 13
What syscalls are being used?

14. ©2020 VMware, Inc. @mauilion 14
But what about my container images?
Optimize Your Docker Containers. Smaller, Faster,
More Secure, Frictionless!

15. ©2020 VMware, Inc. @mauilion 15
Demo Time!
Docker image: inanimate/echo-server
Environment: kind.sigs.k8s.io
Kubernetes Version: v1.19
sigs.k8s.io/secomp-operator deployed.

16. ©2020 VMware, Inc. @mauilion 16
SHOUT OUTS!
● Come see @IanColdwater and I present at security day!
● Shout-out to:
○ The magnificent Mr. Daniel Mangum!
○ The amazing Paulo Gomez!
○ The incredible Sascha Grunert!
● References:
○ sigs.k8s.io/kind
○ sigs.k8s.io/seccomp-operator
○ docs.k8s.io/tutorials/clusters/seccomp/
○ itnext.io/seccomp-in-kubernetes-part-i-7-things-you-should-know-
before-you-even-start-97502ad6b6d6
○ itnext.io/seccomp-in-kubernetes-part-2-crafting-custom-seccomp-
profiles-for-your-applications-c28c658f676e

17. Confidential │ ©2019 VMware, Inc.
Thank You