seccomp-profile-default.json

Overview

seccomp-profile-default.json is a security profile file that defines a default seccomp (secure computing mode) filter for Linux-based containerized applications or sandboxed environments. It specifies which system calls (syscalls) are allowed or denied when the application runs, thereby restricting the environment to a minimal set of permitted syscalls to reduce the attack surface.

This profile is typically used in container runtimes (like Docker, containerd, or Kubernetes) or sandboxing frameworks to enforce syscall filtering at runtime, enhancing the security posture by preventing unauthorized or potentially harmful syscalls.

File Structure and Functionality

The JSON file configures the seccomp filter through three main sections:

1. `defaultAction`

Type: String
Purpose: Defines the default action to take when a syscall does not match any explicitly allowed syscall in the profile.
Value in this file: "SCMP_ACT_ERRNO"
Explanation: This action causes the kernel to return an error (errno) for any syscall not listed as allowed, effectively blocking all unspecified syscalls.

2. `archMap`

Type: Array of objects
Purpose: Maps the primary CPU architecture to one or more sub-architectures. This ensures that the seccomp profile applies correctly across related CPU architectures that share syscall ABIs.

Content in this file:

{
  "architecture": "SCMP_ARCH_X86_64",
  "subArchitectures": [
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ]
}

Explanation: This means the profile targets the x86_64 architecture and its sub-architectures, including 32-bit x86 and x32 ABI, ensuring syscall filtering applies consistently across these platforms.

3. `syscalls`

Type: Array of objects
Purpose: Lists specific syscalls and the action to apply to them.
Content in this file: One entry with:
- names: An array of syscall names allowed by this profile.
- action: "SCMP_ACT_ALLOW", meaning these syscalls are explicitly permitted.
Allowed syscalls include: read, write, exit, clone, execve, mmap, munmap, futex, getpid, getuid, clock_gettime, nanosleep, etc.
Explanation: Only the listed syscalls are permitted; all other syscalls will result in an error due to the default action.

Important Implementation Details

Seccomp Filtering: This profile uses seccomp-bpf via libseccomp constants (SCMP_ACT_ALLOW, SCMP_ACT_ERRNO, etc.). When loaded into the kernel, it restricts the process to only the allowed syscalls.
Syscall Names: The syscall names correspond to Linux syscall interface names, which the kernel recognizes.
Security Model: By default, all syscalls not explicitly allowed return an error, preventing execution of any unexpected or dangerous syscalls.
Architecture Support: The archMap ensures that on x86_64 hosts, the profile will correctly apply to 32-bit and x32 syscalls, which might be used by 32-bit binaries or emulation layers.

Usage Example

This JSON file is loaded by a container runtime or sandboxing tool as part of the seccomp profile configuration. For example:

docker run --security-opt seccomp=seccomp-profile-default.json alpine echo "Hello, Seccomp"

This command runs an Alpine Linux container with the specified seccomp profile, limiting syscalls to those allowed in the JSON file.

Interaction with Other System Components

Container Runtime: Container runtimes like Docker, containerd, or CRI-O load this profile to enforce syscall filtering on containers.
Kernel: The Linux kernel applies the seccomp filter via the seccomp-bpf mechanism, restricting syscalls as per this profile.
Application: The running application inside the container or sandbox is restricted by these syscall rules, which can prevent exploits, privilege escalations, or unauthorized resource access.

Summary

This file is a security-critical configuration that enforces a whitelist of allowed syscalls for processes, primarily in containerized environments. Its conservative default-deny approach helps harden container security by allowing only essential syscalls.

Visual Diagram

The diagram below illustrates the structure of the seccomp-profile-default.json file and the relationships between its main components.

flowchart TD
    A[seccomp-profile-default.json] --> B[defaultAction: SCMP_ACT_ERRNO]
    A --> C[archMap]
    C --> C1[architecture: SCMP_ARCH_X86_64]
    C --> C2[subArchitectures: SCMP_ARCH_X86, SCMP_ARCH_X32]
    A --> D[syscalls]
    D --> D1[names: read, write, exit, ...]
    D --> D2[action: SCMP_ACT_ALLOW]

Summary of Key Fields

Field	Description	Example Value
`defaultAction`	Default seccomp action for unmatched syscalls	`"SCMP_ACT_ERRNO"`
`archMap`	Architecture and sub-architecture mapping	`"SCMP_ARCH_X86_64"` + sub-archs
`syscalls`	List of allowed syscalls and their action (`ALLOW`)	`["read", "write", ...]`

If you need further details on seccomp profiles or integration with specific runtimes, please refer to the official Linux seccomp documentation or the container runtime security guides.