moby--moby/docs/security/seccomp.md at 849f64eeab5c026bad3e10bef06097c1bc684bf3

mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Jessica Frazelle 831af89991

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

2015-12-03 16:30:52 -08:00

1.4 KiB

Raw Blame History

Seccomp security profiles for Docker

The seccomp() system call operates on the Secure Computing (seccomp) state of the calling process.

This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled.

This allows for allowing or denying of certain syscalls in a container.

Passing a profile for a container

Users may pass a seccomp profile using the security-opt option (per-container).

The profile has layout in the following form:

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
        {
            "name": "getcwd",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "mount",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "setns",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "create_module",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "chown",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "chmod",
            "action": "SCMP_ACT_ERRNO"
        }
    ]
}

Then you can run with:

$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world

1.4 KiB Raw Blame History

Seccomp security profiles for Docker

Passing a profile for a container

1.4 KiB

Raw Blame History