|
|
@@ -16,10 +16,16 @@ restrict the actions available within the container. The `seccomp()` system
|
|
|
call operates on the seccomp state of the calling process. You can use this
|
|
|
feature to restrict your application's access.
|
|
|
|
|
|
-This feature is available only if the kernel is configured with `CONFIG_SECCOMP`
|
|
|
-enabled.
|
|
|
+This feature is available only if Docker has been built with seccomp and the
|
|
|
+kernel is configured with `CONFIG_SECCOMP` enabled. To check if your kernel
|
|
|
+supports seccomp:
|
|
|
|
|
|
-> **Note**: Seccomp profiles require seccomp 2.2.1 and are only
|
|
|
+```bash
|
|
|
+$ cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
|
|
|
+CONFIG_SECCOMP=y
|
|
|
+```
|
|
|
+
|
|
|
+> **Note**: seccomp profiles require seccomp 2.2.1 and are only
|
|
|
> available starting with Debian 9 "Stretch", Ubuntu 15.10 "Wily", and
|
|
|
> Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or
|
|
|
> Debian Jessie, you must download the [latest static Docker Linux binary](../installation/binaries.md).
|
|
|
@@ -31,7 +37,7 @@ The default seccomp profile provides a sane default for running containers with
|
|
|
seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
|
|
|
compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
|
|
|
|
|
|
-```
|
|
|
+```json
|
|
|
{
|
|
|
"defaultAction": "SCMP_ACT_ERRNO",
|
|
|
"architectures": [
|
|
|
@@ -49,7 +55,7 @@ compatibility. The default Docker profile (found [here](https://github.com/docke
|
|
|
"name": "accept4",
|
|
|
"action": "SCMP_ACT_ALLOW",
|
|
|
"args": []
|
|
|
- }
|
|
|
+ },
|
|
|
...
|
|
|
]
|
|
|
}
|
Antonio Murdaca