--- title: "Restrict Seccomp" url: https://docs.nirmata.io/docs/policy-sets/podsecurity/baseline/restrict-seccomp/ --- ### Description Seccomp, stands for 'Secure Computing Mode,' and is a security mechanism within the Linux kernel. It functions by limiting the system calls that a process is allowed to execute. Since system calls serve as the primary interface between user applications and the kernel, controlling them through seccomp effectively safeguards the kernel, thereby protecting the host system and reinforcing the isolation that containers rely on. This policy ensures that Seccomp profile is not explicitly set to Unconfined. **Restricted Fields** * spec.securityContext.seccompProfile.type * spec.containers[*].securityContext.seccompProfile.type * spec.initContainers[*].securityContext.seccompProfile.type * spec.ephemeralContainers[*].securityContext.seccompProfile.type **Allowed Values** * Undefined/nil * RuntimeDefault * Localhost ### Risks Seccomp operates based on rules that are present within a file called seccomp profile. It is recommended that users do not use the `Unconfined` profile as it allows containers to invoke any syscall. Many syscalls are harmless, but others can be used to escalate privileges, adjust kernel settings, or perform other undesirable actions. Having a seccomp profile in place can help reduce the attack surface by restricting the syscalls that can be made. ### Kyverno Policy Refer to the Nirmata curated policies - [restrict-seccomp.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml) ### References #### Configuration Settings The below configuration indicates that if the deployed resource contains one of `ephemeralContainers` or `initContainers` or `containers` in their `spec` field, **AND** if `securityContext.seccompProfile.type` field is present, then the only acceptable values are `RuntimeDefault` or `Localhost` to be conformant with this security control. If the `securityContext.seccompProfile.type` field is not present, then the resource is conformant by default. ```bash =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" =(ephemeralContainers): - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" =(initContainers): - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" containers: - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" ``` #### Resource Example Below is a `Deployment` resource example where `securityContext.seccompProfile.type` is set to either `Localhost` or `RuntimeDefault` for both `initContainers` and `containers`. ```bash apiVersion: apps/v1 kind: Deployment metadata: name: gooddeployment spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: initContainers: - name: initcontainer01 image: dummyimagename securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 image: dummyimagename securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 image: dummyimagename ```text