add docs

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2022-11-09 12:21:53 -05:00 · 2015-11-18 01:38:57 -08:00 · 2015-11-18 01:38:57 -08:00 · 831af89991
commit 831af89991
parent ec6d3392f1
1 changed files with 64 additions and 0 deletions
--- a/docs/security/seccomp.md
+++ b/docs/security/seccomp.md
@ -0,0 +1,64 @@
+<!-- [metadata]>
+++
+title = "Seccomp security profiles for Docker"
+description = "Enabling seccomp in Docker"
+keywords = ["seccomp, security, docker, documentation"]
+++
+<![end-metadata]-->
+
+Seccomp security profiles for Docker
+------------------------------------
+
+The seccomp() system call operates on the Secure Computing (seccomp)
+state of the calling process.
+
+This operation is available only if the kernel is configured
+with `CONFIG_SECCOMP` enabled.
+
+This allows for allowing or denying of certain syscalls in a container.
+
+Passing a profile for a container
+---------------------------------
+
+Users may pass a seccomp profile using the `security-opt` option
+(per-container).
+
+The profile has layout in the following form:
+
+```
+{
+    "defaultAction": "SCMP_ACT_ALLOW",
+    "syscalls": [
+        {
+            "name": "getcwd",
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "name": "mount",
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "name": "setns",
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "name": "create_module",
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "name": "chown",
+            "action": "SCMP_ACT_ERRNO"
+        },
+        {
+            "name": "chmod",
+            "action": "SCMP_ACT_ERRNO"
+        }
+    ]
+}
+```
+
+Then you can run with:
+
+```
+$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
+```