fa7d79e4ed
Signed-off-by: Jessica Frazelle <acidburn@docker.com> Upstream-commit: 831af89991edd442ef4eeb29fd01da576b04bcfc Component: engine
65 lines
1.4 KiB
Markdown
65 lines
1.4 KiB
Markdown
<!-- [metadata]>
|
|
+++
|
|
title = "Seccomp security profiles for Docker"
|
|
description = "Enabling seccomp in Docker"
|
|
keywords = ["seccomp, security, docker, documentation"]
|
|
+++
|
|
<![end-metadata]-->
|
|
|
|
Seccomp security profiles for Docker
|
|
------------------------------------
|
|
|
|
The seccomp() system call operates on the Secure Computing (seccomp)
|
|
state of the calling process.
|
|
|
|
This operation is available only if the kernel is configured
|
|
with `CONFIG_SECCOMP` enabled.
|
|
|
|
This allows for allowing or denying of certain syscalls in a container.
|
|
|
|
Passing a profile for a container
|
|
---------------------------------
|
|
|
|
Users may pass a seccomp profile using the `security-opt` option
|
|
(per-container).
|
|
|
|
The profile has layout in the following form:
|
|
|
|
```
|
|
{
|
|
"defaultAction": "SCMP_ACT_ALLOW",
|
|
"syscalls": [
|
|
{
|
|
"name": "getcwd",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
},
|
|
{
|
|
"name": "mount",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
},
|
|
{
|
|
"name": "setns",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
},
|
|
{
|
|
"name": "create_module",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
},
|
|
{
|
|
"name": "chown",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
},
|
|
{
|
|
"name": "chmod",
|
|
"action": "SCMP_ACT_ERRNO"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
Then you can run with:
|
|
|
|
```
|
|
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
|
|
```
|