Ver código fonte

Merge pull request #20907 from runcom/seccomp-docs

docs: security: seccomp: mention Docker needs seccomp build and check config
Sebastiaan van Stijn 9 anos atrás
pai
commit
d83ad2f554
1 arquivos alterados com 11 adições e 5 exclusões
  1. 11 5
      docs/security/seccomp.md

+ 11 - 5
docs/security/seccomp.md

@@ -16,10 +16,16 @@ restrict the actions available within the container. The `seccomp()` system
 call operates on the seccomp state of the calling process. You can use this
 feature to restrict your application's access.
 
-This feature is available only if the kernel is configured with `CONFIG_SECCOMP`
-enabled.
+This feature is available only if Docker has been built with seccomp and the
+kernel is configured with `CONFIG_SECCOMP` enabled. To check if your kernel
+supports seccomp:
 
-> **Note**: Seccomp profiles require seccomp 2.2.1 and are only
+```bash
+$ cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
+CONFIG_SECCOMP=y
+```
+
+> **Note**: seccomp profiles require seccomp 2.2.1 and are only
 > available starting with Debian 9 "Stretch", Ubuntu 15.10 "Wily", and
 > Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or
 > Debian Jessie, you must download the [latest static Docker Linux binary](../installation/binaries.md).
@@ -31,7 +37,7 @@ The default seccomp profile provides a sane default for running containers with
 seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
 compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
 
-```
+```json
 {
 	"defaultAction": "SCMP_ACT_ERRNO",
 	"architectures": [
@@ -49,7 +55,7 @@ compatibility. The default Docker profile (found [here](https://github.com/docke
 			"name": "accept4",
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
-		}
+		},
 		...
 	]
 }