[PoC] SECCOMP profiles #198
Open
+157
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Don't feel you have to merge this, I got time to play a lot with
toolhive last night and hacked up a way of injecting seccomp profiles
during container runtime init
To be honest docker and podman have a good set of defaults, but
I was thinking about how limited the scope of MCP servers tends to
be (most are limited to specialised jobs) and so customer seccomp
profiles seemed worth exploring
I really have not had much time to test this and so please don't feel
a need to merge quickly if at all, I don't want to introduce a security
risk from me hacking away with curiosity.
iirc correctly, the order is:
1. Server-specific overrides: Individual configuration in each server's
`permissions.seccomp` section in registry.json
2. Global defaults: From `seccomp_defaults` section in registry.json
3. Fallback defaults: Hardcoded in `NewProfile()` function, used only if
registry.json is missing and to make sure a footgun does not happen
You can see the rules applied using inspect
```
docker inspect --format '{{.HostConfig.SecurityOpt}}' ffdcb25d76cf
[seccomp={"defaultAction":"SCMP_ACT_ERRNO","syscalls":[{"names":["ptrace","reboot","kexec_load"],"action":"SCMP_ACT_ERRNO"},{"names":["read","write","exit","open","close"],"action":"SCMP_ACT_ALLOW"}]}]
```
ChrisJBurns
reviewed
Apr 16, 2025
| case "trace": | ||
| defaultAction = "SCMP_ACT_TRACE" | ||
| default: | ||
| logger.Log.Warn(fmt.Sprintf("Warning: Unknown seccomp default action: %s, using SCMP_ACT_ERRNO", profile.Seccomp.DefaultAction)) |
There was a problem hiding this comment.
We should have logger.Log.Warnf in main now, should enable you to avoid using fmt.Sprintf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Don't feel you have to merge this, I got time to play a lot with toolhive last night and hacked up a way of injecting seccomp profiles during container runtime init
To be honest docker and podman have a good set of defaults, but I was thinking about how limited the scope of MCP servers tends to be (most are limited to specialised jobs) and so custom seccomp profiles seemed worth exploring
I really have not had much time to test this and so please don't feel a need to merge quickly if at all, I don't want to introduce a security risk from me hacking away with curiosity.
iirc correctly, the order is:
Server-specific overrides: Individual configuration in each server's
permissions.seccompsection in registry.jsonGlobal defaults: From
seccomp_defaultssection in registry.jsonFallback defaults: Hardcoded in
NewProfile()function, used only if registry.json is missing and to make sure a footgun does not happenYou can see the rules applied using inspect