I want to get the available system call list of a running container without knowing the Seccomp profile. How can I achieve it?
Asked
Active
Viewed 593 times
2
-
try `capsh --print` in container. – mviereck Jul 31 '18 at 21:48
-
@mviereck: uh, isn't `capsh` about capabilities only? Caps are rather different from seccomp profiles... – user268396 Jul 31 '18 at 21:52
-
Yes, the capability is different from the Seccomp. What I want to know is the Seccomp list. – Luba A Jul 31 '18 at 22:12
1 Answers
0
docker inspect should dump the SecurityOpt(s) which were used to run the container. Since the seccomp profile is applied through the security-opt commandline parameter, the active profile should be listed among whatever arguments were provided when starting the container.
Based on the profile name, you can translate that into the actual syscall whitelist/blacklist that is applied.
user268396
- 11,576
- 2
- 31
- 26
-
What if I don't attach the seccomp profile and let it by default and use a customized `runc` which recreates some syscall? I need to get the available syscall list except the recreated one. – Luba A Jul 31 '18 at 22:15
-
I don't fully understand. If you don't pass any seccomp profile you run with the default of your particular `runc` implementation. You can recognise when no `security-opt` parameters were passed by the fact that the `SecurityOpt` field will be `null` (judging by online sample output). – user268396 Jul 31 '18 at 22:21
-
Have you heard the Nabla container? It integrates almost 331 syscalls in Libos and only uses 9 unique system calls in the kernel. It is also based on docker but uses its own runc called `runnc`. The 331 syscalls are integrated in the `runnc`. When you run that container and check the configure file in `/var/lib/docker/containers/ID/config`, you will find `Seccomp:" "` is `null`. – Luba A Jul 31 '18 at 22:50
-
If I can get the available syscall list. Then I can know the details of those 9 unique syscalls. – Luba A Jul 31 '18 at 23:20