$ docker run –rm -it –security-opt seccomp=unconfined getcaps unshare –map-root-user –user /bin/sh -c uptime
Pass profile:
$ curl -O https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json
$ docker run –rm -it –security-opt seccomp=./default.json getcaps
Host Network with Host Mount Example
$ docker run -p 45678:80 -v$(pwd)/:/usr/share/nginx/html --rm -d --name nginxweb nginx
Privilege escalation in privilege pod with nsenter process namespace
$ docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Privilege escalation with Chroot mount namespace
$ kubectl exec -v /:/host -it --privileged
debian
— /bin/sh -c “chroot /host bash -c ‘docker ps'”
AppArmor Profile
$ docker run --rm -it --security-opt apparmor=docker-default hello-worl
Pull Image view its history
trivy image --skip-db-update -s CRITICAL,HIGH ubuntu/squid
docker pull ubuntu/squid
docker history --no-trunc ubuntu/squid
emptyDir – easy to use this volumeType (tmpfs
$ docker run –tmpfs /opt –read-only -u kurtis -it –rm test
Drop Capabilities Add Example
$ docker run –rm –cap-drop ALL getcaps /bin/sh -c ‘ping -c1 -w2 127.0.0.1’
$ docker run –rm –cap-drop ALL –cap-add CAP_NET_RAW getcaps /bin/sh -c ‘ping -c1 -w2 127.0.0.1’
Seccomp Disable and Custom profile
$ docker run --rm -it --security-opt seccomp=unconfined getcaps unshare --map-root-user --user /bin/sh -c uptime
# Custome profile
$ curl -O https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json
$ docker run --rm -it --security-opt seccomp=./default.json getcaps