Technical dive into configuring seccomp and linux security capabilities for Docker-based containers.
The real meat for this talk was in the demos - I'm working on a screencast version, and will add a link here once I have that published!
3. None of my demos should “work” the first time.
4. Worst to best:
Run with --privileged=true
Run with –cap-add ALL
Run with --cap-drop ALL --cap-add <only needed>
Run as non-root user, unprivileged
Useful: capabilities section of https://docs.docker.com/engine/reference/run/
5.
6. From my Monday talk.
Even in dev you should
do this. Break the bad
habit.
Do as I say, not as I do!
7. 3 sections:
Default Action
Target architectures
Filter rules
Like firewall rules, but harder to debug!
12. We need to build a list of system calls called by the program…
…that we want to succeed
Guess (preferably educated)
RTFM (thanks John!)
Capture behavior – maybe /usr/sbin/strace
Disassembly?
There’s so many good talks going on this hour – I’m really honored that you decided to join and I hope this is worthwhile for you.
This talk was tagged “intermediate” – it might go deeper, please do not be afraid to ask questions.
--privileged does –cap-add ALL as well as allowing device privs
Docker has 37 capabilities that can be added or removed