mfhepp / py4docker

Template for running Python 3.x shell scripts and notebooks in a Docker container for isolation, security, and portability
MIT License
2 stars 0 forks source link

Add seccomp profile to bash script #3

Closed mfhepp closed 1 year ago

mfhepp commented 1 year ago

It may be good to add the seccomp to the docker run command in the shell file

https://docs.docker.com/engine/security/seccomp/

mfhepp commented 1 year ago

At least on Docker Desktop v4.25.2, the default configuration is not running the default seccomp profile (contrary to what the Docker docs say). So this issue seems to make sense.

With copying the official profile file default.json and activating it in the startup script, like so

docker run -it \
 --mount type=bind,source="$(pwd)",target=/usr/app/src/data,readonly \
 --mount type=bind,source="$(pwd)/output",target=/usr/app/src/output \
 --net none \
 --rm \
 --security-opt seccomp=seccomp-default.json \
 test_app "$@"

(and changing the entrypoint in the Dockerfile to /bin/sh temporarily), seccomp is active:

$ ./run_script.sh 
$ grep Seccomp /proc/$$/status 
Seccomp:    2
Seccomp_filters:    1

In the default configuration, it is not:

$ ./run_script.sh 
$ grep Seccomp /proc/$$/status 
Seccomp:    0
Seccomp_filters:    0

So it seems a good approach to

mfhepp commented 1 year ago

Note: Chromium-based applications may need a slightly modified seccomp profile, see e.g. here: https://playwright.dev/python/docs/docker