0

I'm investigating about kernel security using Docker. I'm testing seccomp and it works very well on Debian and Ubuntu, but It's not working on Kali Linux.

Example:

I created a simple json file called sec.json with this content:

{
    "defaultAction": "SCMP_ACT_ALLOW",
        "syscalls": [
                {
                    "name": "mkdir",
                    "action": "SCMP_ACT_ERRNO"
                }
            ]
}

It' suppossed that running a container using seccomp and this file will produce that you are not able to use mkdir command inside the container. This is the docker run command:

docker run --rm -ti --security-opt seccomp=/path/to/sec.json ubuntu:xenial sh

As I said it works very well on Debian and Ubuntu, but on Kali Linux I got this error:

docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.

My docker-engine version is 17.05.0-ce and my Kernel is 4.9.0-kali3-amd64 #1 SMP Debian 4.9.18-1kali1 (2017-04-04) x86_64 GNU/Linux. I googled about this and is quite strange. It is suppossed that seccomp is supported if you can check this:

cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=

I got as a result:

CONFIG_SECCOMP=y

So it's suppossed that it's supported. What am I missing or what is the explanation about this is not working on Kali? Thanks.

OscarAkaElvis
  • 5,384
  • 4
  • 27
  • 51

2 Answers2

0

Ok I found this post. I'll try to answer myself:

https://github.com/moby/moby/issues/26497

Is quite similar. I checked my docker info output and on Ubuntu and Debian I have the Security Options: seccomp and I have nothing on Kali.

The possible explanation is the libseccomp2 package which contains the needed library is too old. Maybe if the Kali staff update the library it could be supported.

OscarAkaElvis
  • 5,384
  • 4
  • 27
  • 51
-1

Use

echo 'apt::sandbox::seccomp "false";' > /etc/apt/apt.conf.d/999seccomp

That should work.

Shritam Bhowmick
  • 39
  • 1