Closed mfhepp closed 1 year ago
At least on Docker Desktop v4.25.2, the default configuration is not running the default seccomp profile (contrary to what the Docker docs say). So this issue seems to make sense.
With copying the official profile file default.json and activating it in the startup script, like so
docker run -it \
--mount type=bind,source="$(pwd)",target=/usr/app/src/data,readonly \
--mount type=bind,source="$(pwd)/output",target=/usr/app/src/output \
--net none \
--rm \
--security-opt seccomp=seccomp-default.json \
test_app "$@"
(and changing the entrypoint in the Dockerfile to /bin/sh
temporarily), seccomp is active:
$ ./run_script.sh
$ grep Seccomp /proc/$$/status
Seccomp: 2
Seccomp_filters: 1
In the default configuration, it is not:
$ ./run_script.sh
$ grep Seccomp /proc/$$/status
Seccomp: 0
Seccomp_filters: 0
So it seems a good approach to
run_script.sh
Note: Chromium-based applications may need a slightly modified seccomp profile, see e.g. here: https://playwright.dev/python/docs/docker
It may be good to add the seccomp to the docker run command in the shell file
https://docs.docker.com/engine/security/seccomp/