|
@@ -28,38 +28,30 @@ enabled.
|
|
|
## Passing a profile for a container
|
|
## Passing a profile for a container
|
|
|
|
|
|
|
|
The default seccomp profile provides a sane default for running containers with
|
|
The default seccomp profile provides a sane default for running containers with
|
|
|
-seccomp. It is moderately protective while providing wide application
|
|
|
|
|
-compatibility. The default Docker profile has layout in the following form:
|
|
|
|
|
|
|
+seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
|
|
|
|
|
+compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
{
|
|
{
|
|
|
- "defaultAction": "SCMP_ACT_ALLOW",
|
|
|
|
|
- "syscalls": [
|
|
|
|
|
- {
|
|
|
|
|
- "name": "getcwd",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- },
|
|
|
|
|
- {
|
|
|
|
|
- "name": "mount",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- },
|
|
|
|
|
- {
|
|
|
|
|
- "name": "setns",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- },
|
|
|
|
|
- {
|
|
|
|
|
- "name": "create_module",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- },
|
|
|
|
|
- {
|
|
|
|
|
- "name": "chown",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- },
|
|
|
|
|
- {
|
|
|
|
|
- "name": "chmod",
|
|
|
|
|
- "action": "SCMP_ACT_ERRNO"
|
|
|
|
|
- }
|
|
|
|
|
- ]
|
|
|
|
|
|
|
+ "defaultAction": "SCMP_ACT_ERRNO",
|
|
|
|
|
+ "architectures": [
|
|
|
|
|
+ "SCMP_ARCH_X86_64",
|
|
|
|
|
+ "SCMP_ARCH_X86",
|
|
|
|
|
+ "SCMP_ARCH_X32"
|
|
|
|
|
+ ],
|
|
|
|
|
+ "syscalls": [
|
|
|
|
|
+ {
|
|
|
|
|
+ "name": "accept",
|
|
|
|
|
+ "action": "SCMP_ACT_ALLOW",
|
|
|
|
|
+ "args": []
|
|
|
|
|
+ },
|
|
|
|
|
+ {
|
|
|
|
|
+ "name": "accept4",
|
|
|
|
|
+ "action": "SCMP_ACT_ALLOW",
|
|
|
|
|
+ "args": []
|
|
|
|
|
+ }
|
|
|
|
|
+ ...
|
|
|
|
|
+ ]
|
|
|
}
|
|
}
|
|
|
```
|
|
```
|
|
|
|
|
|
|
@@ -71,7 +63,7 @@ specifies the default policy:
|
|
|
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
|
|
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
-### Syscalls blocked by the default profile
|
|
|
|
|
|
|
+### Significant syscalls blocked by the default profile
|
|
|
|
|
|
|
|
Docker's default seccomp profile is a whitelist which specifies the calls that
|
|
Docker's default seccomp profile is a whitelist which specifies the calls that
|
|
|
are allowed. The table below lists the significant (but not all) syscalls that
|
|
are allowed. The table below lists the significant (but not all) syscalls that
|
David Calavera