From 248fce4dd98577cd947268b05080ae2e5bb53672 Mon Sep 17 00:00:00 2001 From: mutemule Date: Sun, 27 Feb 2022 15:09:50 -0500 Subject: [PATCH 1/3] Add a seccomp profile --- seccomp-libreddit.json | 125 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 seccomp-libreddit.json diff --git a/seccomp-libreddit.json b/seccomp-libreddit.json new file mode 100644 index 0000000..264c9b7 --- /dev/null +++ b/seccomp-libreddit.json @@ -0,0 +1,125 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "accept4", + "arch_prctl", + "bind", + "brk", + "clock_gettime", + "clone", + "close", + "connect", + "epoll_create1", + "epoll_ctl", + "epoll_pwait", + "eventfd2", + "execve", + "exit", + "exit_group", + "fcntl", + "flock", + "fork", + "fstat", + "futex", + "getcwd", + "getpeername", + "getpid", + "getrandom", + "getsockname", + "getsockopt", + "getgid", + "getppid", + "gettid", + "getuid", + "ioctl", + "listen", + "lseek", + "madvise", + "mmap", + "mprotect", + "mremap", + "munmap", + "newfstatat", + "open", + "openat", + "prctl", + "poll", + "read", + "recvfrom", + "rt_sigaction", + "rt_sigprocmask", + "rt_sigreturn", + "sched_getaffinity", + "sched_yield", + "sendto", + "setitimer", + "setsockopt", + "set_tid_address", + "shutdown", + "sigaltstack", + "socket", + "socketpair", + "stat", + "wait4", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + } + ] +} From 1e61ec699a317385f229d7e747792f1e382f1bd9 Mon Sep 17 00:00:00 2001 From: mutemule Date: Sun, 27 Feb 2022 15:10:47 -0500 Subject: [PATCH 2/3] Use seccomp with docker-compose --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 2688e9d..4969a8a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: container_name: "libreddit" ports: - 8080:8080 + security_opt: + - seccomp="seccomp-libreddit.json" healthcheck: test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"] interval: 5m From 8997355dcf802d66846b100a2787b56970410a18 Mon Sep 17 00:00:00 2001 From: mutemule Date: Thu, 23 Jun 2022 07:50:08 -0400 Subject: [PATCH 3/3] No Linux capabilities are used --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 4969a8a..def3170 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: container_name: "libreddit" ports: - 8080:8080 + cap_drop: + - ALL security_opt: - seccomp="seccomp-libreddit.json" healthcheck: