Merge pull request #20787 from itsthenetwork/Fix-Seccomp-Readme

Update seccomp.md
2022-11-09 12:21:53 -05:00 · 2016-02-29 09:54:48 -08:00 · 2016-02-29 09:54:48 -08:00 · b1955a66f5
commit b1955a66f5
parent b211e57f23 244e5fc516
1 changed files with 22 additions and 30 deletions
--- a/docs/security/seccomp.md
+++ b/docs/security/seccomp.md
@ -28,38 +28,30 @@ enabled.
 ## Passing a profile for a container

 The default seccomp profile provides a sane default for running containers with
-seccomp. It is moderately protective while providing wide application
-compatibility. The default Docker profile has layout in the following form:
+seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
+compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:

 ```
 {
-    "defaultAction": "SCMP_ACT_ALLOW",
-    "syscalls": [
-        {
-            "name": "getcwd",
-            "action": "SCMP_ACT_ERRNO"
-        },
-        {
-            "name": "mount",
-            "action": "SCMP_ACT_ERRNO"
-        },
-        {
-            "name": "setns",
-            "action": "SCMP_ACT_ERRNO"
-        },
-        {
-            "name": "create_module",
-            "action": "SCMP_ACT_ERRNO"
-        },
-        {
-            "name": "chown",
-            "action": "SCMP_ACT_ERRNO"
-        },
-        {
-            "name": "chmod",
-            "action": "SCMP_ACT_ERRNO"
-        }
-    ]
+	"defaultAction": "SCMP_ACT_ERRNO",
+	"architectures": [
+		"SCMP_ARCH_X86_64",
+		"SCMP_ARCH_X86",
+		"SCMP_ARCH_X32"
+	],
+	"syscalls": [
+		{
+			"name": "accept",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "accept4",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		}
+		...
+	]
 }
 ```

@ -71,7 +63,7 @@ specifies the default policy:
 $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
 ```

-### Syscalls blocked by the default profile
+### Significant syscalls blocked by the default profile

 Docker's default seccomp profile is a whitelist which specifies the calls that
 are allowed. The table below lists the significant (but not all) syscalls that