From dc0397c9a8ae7b5074dfbbad71ed7dd37b163a48 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 3 Mar 2016 11:58:40 +0100 Subject: [PATCH] docs: security: seccomp: mention Docker needs seccomp build and check config Signed-off-by: Antonio Murdaca --- docs/security/seccomp.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/security/seccomp.md b/docs/security/seccomp.md index c9346b5d09..196d93810d 100644 --- a/docs/security/seccomp.md +++ b/docs/security/seccomp.md @@ -16,10 +16,16 @@ restrict the actions available within the container. The `seccomp()` system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access. -This feature is available only if the kernel is configured with `CONFIG_SECCOMP` -enabled. +This feature is available only if Docker has been built with seccomp and the +kernel is configured with `CONFIG_SECCOMP` enabled. To check if your kernel +supports seccomp: -> **Note**: Seccomp profiles require seccomp 2.2.1 and are only +```bash +$ cat /boot/config-`uname -r` | grep CONFIG_SECCOMP= +CONFIG_SECCOMP=y +``` + +> **Note**: seccomp profiles require seccomp 2.2.1 and are only > available starting with Debian 9 "Stretch", Ubuntu 15.10 "Wily", and > Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or > Debian Jessie, you must download the [latest static Docker Linux binary](../installation/binaries.md). @@ -31,7 +37,7 @@ The default seccomp profile provides a sane default for running containers with seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form: -``` +```json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ @@ -49,7 +55,7 @@ compatibility. The default Docker profile (found [here](https://github.com/docke "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] - } + }, ... ] }