1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

16 commits

Author SHA1 Message Date
lixiaobing10051267
227cae6680 A parenthesis omitted in Seccomp.md
Signed-off-by: lixiaobing10051267 <li.xiaobing1@zte.com.cn>
2016-08-02 12:24:15 +08:00
allencloud
57e2a82355 fix typos in docs
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-05-12 18:38:02 +08:00
Sebastiaan van Stijn
2cddd1cd1f
docs: update seccomp whitelist
the 'modify_ldt' was listed as "blocked by default",
but was whitelisted in 13a9d4e899

this updates the documentation to reflect this

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-05-11 18:45:27 +02:00
Brian Goff
1521a41fc5 centos:7/OL:7 now includes libseccomp 2.2.1
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-04-26 20:48:26 -04:00
David Calavera
cb9aeb0413 Consolidate security options to use = as separator.
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-17 13:34:42 -04:00
Justin Cormack
96896f2d0b Add new syscalls in libseccomp 2.3.0 to seccomp default profile
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.

The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration

The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-03-16 21:17:32 +00:00
Justin Cormack
5abd881883 Allow restart_syscall in default seccomp profile
Fixes #20818

This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-03-11 16:44:11 +00:00
Antonio Murdaca
dc0397c9a8 docs: security: seccomp: mention Docker needs seccomp build and check config
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-03-03 12:04:09 +01:00
Steven Iveson
244e5fc516 Update seccomp.md
Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.

Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
2016-02-29 16:32:45 +00:00
Sebastiaan van Stijn
13839a6d32 Be more explicit on seccomp availability
Seccomp is only *compiled* in binaries built for
distros that ship with seccomp 2.2.1 or higher,
and in the static binaries.

The static binaries are not really useful for
RHEL and CentOS, because devicemapper does
not work properly with the static binaries,
so static binaries is only an option for Ubuntu
and Debian.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-02-18 14:57:47 +01:00
Sebastiaan van Stijn
6ab52f9f00 Add note that seccomp 2.2.1 or higher is required
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-02-05 21:26:03 +01:00
Mary Anthony
4c76c665b7 Fixing missing certs article; consolidating security material
Entering comments from reviewers
Updating with Derek's comments
Fixing bad links reported by build

Signed-off-by: Mary Anthony <mary@docker.com>
2016-01-22 16:44:18 -08:00
Jessica Frazelle
61553fc2f5 WIP: Update security docs for seccomp/apparmor
Signed-off-by: Mary Anthony <mary@docker.com>

Updaing and slight re-arrangement of security information

Signed-off-by: Mary Anthony <mary@docker.com>

Updating security files

Signed-off-by: Mary Anthony <mary@docker.com>

Updating links to the security documentation

Signed-off-by: Mary Anthony <mary@docker.com>

removing some extra spaces

Signed-off-by: Mary Anthony <mary@docker.com>

Correcting spelling

Signed-off-by: Mary Anthony <mary@docker.com>
2016-01-14 13:58:37 -08:00
Jessica Frazelle
52f32818df
add syscalls we purposely block to docs
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-07 10:22:16 -08:00
Jessica Frazelle
15674c5fb7
add docs and unconfined to run a container without the default seccomp profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-28 10:26:51 -08:00
Jessica Frazelle
831af89991
add docs
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-03 16:30:52 -08:00