I was reading through playwright docs and when using docker they recommend to create a separate user inside the Docker container and use the seccomp profile. And a few questions came up to mind: is this necessary (security improvement) if I am using docker desktop (since docker desktop already runs inside a VMP). How should I go to enable seccomp on the VM running docker? And finally, if I understood right this would only enable the seccomp, but the actual restrictions imposed by the seccomp would be applied on a container basis and according to the profile I pass to that container, i.e. the restrictions would be applied to that container alone. Is that correct?
Asked
Active
Viewed 77 times
0
-
Seccomp is purely a linux kernel facility to restrict syscalls that a process may make. It has nothing to do with virtual machines or whether the kernel runs on one. – user17732522 May 14 '23 at 14:20
-
@user17732522 docker desktop run on a vm running linux. As far as I can tell that linux kernel running on the vm does not have seccomp enabled, and my question is if I should enable it and how is the proper way to do it. – Joaquim May 14 '23 at 14:39
-
Seccomp is either built into the kernel or not available at all. There is no extra step to enable/disable it. Whether seccomp restrictions are used is up to the user-space process, i.e. Docker creating containers. – user17732522 May 14 '23 at 14:45
-
@user17732522 got it. That answers some of my questions. Tks – Joaquim May 14 '23 at 14:54