We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Update seccomp.md

Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.

Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
Steven Iveson 9 years ago
parent
eb22fcc229
commit
244e5fc516
1 changed files with 22 additions and 30 deletions
Split View Show Diff Stats
  1. 22 30
      docs/security/seccomp.md

+ 22 - 30
docs/security/seccomp.md
View File 

@@ -28,38 +28,30 @@ enabled.
 
 ## Passing a profile for a container
 
 
 The default seccomp profile provides a sane default for running containers with
 
-seccomp. It is moderately protective while providing wide application
 
-compatibility. The default Docker profile has layout in the following form:
 
+seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
 
+compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
 
 
 ```
 
 {
 
-    "defaultAction": "SCMP_ACT_ALLOW",
 
-    "syscalls": [
 
-        {
 
-            "name": "getcwd",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        },
 
-        {
 
-            "name": "mount",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        },
 
-        {
 
-            "name": "setns",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        },
 
-        {
 
-            "name": "create_module",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        },
 
-        {
 
-            "name": "chown",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        },
 
-        {
 
-            "name": "chmod",
 
-            "action": "SCMP_ACT_ERRNO"
 
-        }
 
-    ]
 
+	"defaultAction": "SCMP_ACT_ERRNO",
 
+	"architectures": [
 
+		"SCMP_ARCH_X86_64",
 
+		"SCMP_ARCH_X86",
 
+		"SCMP_ARCH_X32"
 
+	],
 
+	"syscalls": [
 
+		{
 
+			"name": "accept",
 
+			"action": "SCMP_ACT_ALLOW",
 
+			"args": []
 
+		},
 
+		{
 
+			"name": "accept4",
 
+			"action": "SCMP_ACT_ALLOW",
 
+			"args": []
 
+		}
 
+		...
 
+	]
 
 }
 
 ```
 
 
@@ -71,7 +63,7 @@ specifies the default policy:
 
 $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
 
 ```
 
 
-### Syscalls blocked by the default profile
 
+### Significant syscalls blocked by the default profile
 
 
 Docker's default seccomp profile is a whitelist which specifies the calls that
 
 are allowed. The table below lists the significant (but not all) syscalls that

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5