Securing Containers with Seccomp

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

👋 Before we begin... a big thank you to today's sponsor WRITER

Writer RAG tool: build production-ready RAG apps in minutes

RAG in just a few lines of code? We’ve launched a predefined RAG tool on our developer platform, making it easy to bring your data into a Knowledge Graph and interact with it with AI. With a single API call, writer LLMs will intelligently call the RAG tool to chat with your data.

Integrated into Writer’s full-stack platform, it eliminates the need for complex vendor RAG setups, making it quick to build scalable, highly accurate AI workflows just by passing a graph ID of your data as a parameter to your RAG tool.

IN TODAY'S EDITION

🧠 Use Case

  • Securing Containers with Seccomp

🚀 Top News

👀 Remote Jobs

📚️ Resources

🛠️ TOOL OF THE DAY

networking-costs-calculator - Sample of a networking costs calculator, helping to estimate the networking costs such as Data Transfer, Transit Gateway Attachments, NAT Gateways etc.

🧠 USE CASE

Securing Containers with Seccomp

As container adoption grows, securing workloads becomes increasingly critical.

One effective way to minimize the attack surface of your containerized applications is through Seccomp (Secure Computing Mode).

It filters system calls (syscalls) to prevent unauthorized access to critical kernel features.

Docker integrates Seccomp to enforce syscall filtering, applying a default profile that denies potentially dangerous calls while allowing necessary ones for most applications.

This mechanism acts as a safety net against privilege escalation attacks or container escapes.

In simple terms,

  • With Seccomp: Only essential syscalls are allowed, reducing the attack surface.

  • Without Seccomp: All syscalls are accessible, increasing the risk of security breaches.

Using Seccomp with Docker:

Running a Container with Seccomp
Apply Docker's profile for syscall filtering:

docker run --rm --security-opt seccomp=default.json alpine ash

Custom Seccomp Profiles
You can tailor a Seccomp profile (custom-seccomp.json) to your application needs:

{

"defaultAction": "SCMP_ACT_ERRNO",

"syscalls": [

{

"names": ["read", "write", "exit", "sigreturn"],

"action": "SCMP_ACT_ALLOW"

}

]

}

This Seccomp profile denies all system calls by default (SCMP_ACT_ERRNO) but explicitly allows the syscalls read, write, exit, and sigreturn to enable basic program functionality.

Run the container with your custom profile:

docker run --rm --security-opt seccomp=custom-seccomp.json alpine ash

Seccomp works best when combined with other security practices like container capabilities management.

Some Suggestions:

1. Limit Container Capabilities

Use Docker’s --cap-drop flag to remove unnecessary Linux capabilities from your containers.

docker run --rm --cap-drop=ALL --cap-add=NET_ADMIN alpine ash

2. Use Read-Only Root Filesystem

Mount the container’s filesystem as read-only to prevent unauthorized writes. Combine this with Seccomp to further reduce risks.

docker run --rm --read-only alpine ash

3. Leverage User Namespaces

Map the container’s root user to a non-privileged host user to isolate processes. Enable user namespaces with Docker’s --user flag or configure it in the daemon.

docker run --rm --user 1001:1001 alpine ash

4. Network Isolation

Combine Seccomp with Docker’s --network flag to restrict network access for containers that don’t require it.

docker run --rm --network=none alpine ash

5. Audit and Monitor Syscalls

Use tools like oci-seccomp-bpf-hook or sysdig to analyze syscall usage in containers and optimize your Seccomp profiles based on the recorded behavior.

By layering Seccomp with these practices, you create a defense-in-depth strategy, significantly improving container security and reducing the risk of exploitation.

You may even like:

Looking to promote your company, product, service, or event to 24,000+ TechOps Professionals? Let's work together.