Default Seccomp Profile Disabled

• Query id: 404fde2c-bc4b-4371-9747-7054132ac953
• Query name: Default Seccomp Profile Disabled
• Platform: DockerCompose
• Severity: Medium
• Category: Resource Management
• URL: Github

Description

Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

version: "3.8"

services:
  demo:
    image: not/a/real/image
    cap_add:
      - SYS_PTRACE
    volumes:
      - type: volume
        source: not-a-real-source-docker
        target: /var/lib/docker
    security_opt:
      - label:seccomp:unconfined

volumes:
  not-a-real-source-docker:

Positive test num. 2 - yaml file

version: "3.9"

networks:
  backend:

services:
  example:
    build: .
    security_opt:
      - seccomp:unconfined
    networks:
      - backend
    ports:
      - "5002:5002"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

version: "3.9"

services:
  webapp:
    build:
      context: ./
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1