Merge pull request #20907 from runcom/seccomp-docs
docs: security: seccomp: mention Docker needs seccomp build and check config
This commit is contained in:
commit
d83ad2f554
|
@ -16,10 +16,16 @@ restrict the actions available within the container. The `seccomp()` system
|
||||||
call operates on the seccomp state of the calling process. You can use this
|
call operates on the seccomp state of the calling process. You can use this
|
||||||
feature to restrict your application's access.
|
feature to restrict your application's access.
|
||||||
|
|
||||||
This feature is available only if the kernel is configured with `CONFIG_SECCOMP`
|
This feature is available only if Docker has been built with seccomp and the
|
||||||
enabled.
|
kernel is configured with `CONFIG_SECCOMP` enabled. To check if your kernel
|
||||||
|
supports seccomp:
|
||||||
|
|
||||||
> **Note**: Seccomp profiles require seccomp 2.2.1 and are only
|
```bash
|
||||||
|
$ cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
|
||||||
|
CONFIG_SECCOMP=y
|
||||||
|
```
|
||||||
|
|
||||||
|
> **Note**: seccomp profiles require seccomp 2.2.1 and are only
|
||||||
> available starting with Debian 9 "Stretch", Ubuntu 15.10 "Wily", and
|
> available starting with Debian 9 "Stretch", Ubuntu 15.10 "Wily", and
|
||||||
> Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or
|
> Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or
|
||||||
> Debian Jessie, you must download the [latest static Docker Linux binary](../installation/binaries.md).
|
> Debian Jessie, you must download the [latest static Docker Linux binary](../installation/binaries.md).
|
||||||
|
@ -31,7 +37,7 @@ The default seccomp profile provides a sane default for running containers with
|
||||||
seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
|
seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
|
||||||
compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
|
compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
|
||||||
|
|
||||||
```
|
```json
|
||||||
{
|
{
|
||||||
"defaultAction": "SCMP_ACT_ERRNO",
|
"defaultAction": "SCMP_ACT_ERRNO",
|
||||||
"architectures": [
|
"architectures": [
|
||||||
|
@ -49,7 +55,7 @@ compatibility. The default Docker profile (found [here](https://github.com/docke
|
||||||
"name": "accept4",
|
"name": "accept4",
|
||||||
"action": "SCMP_ACT_ALLOW",
|
"action": "SCMP_ACT_ALLOW",
|
||||||
"args": []
|
"args": []
|
||||||
}
|
},
|
||||||
...
|
...
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue