docker-docs/docs/security/seccomp.md at 27220ecc6b1eedf650ca9cf94965cb0dc2054efd

mirror of https://github.com/docker/docs.git synced 2026-03-27 22:38:54 +07:00

Files

Jessica Frazelle 831af89991 add docs

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

2015-12-03 16:30:52 -08:00

1.4 KiB

Raw Blame History

Seccomp security profiles for Docker

The seccomp() system call operates on the Secure Computing (seccomp) state of the calling process.

This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled.

This allows for allowing or denying of certain syscalls in a container.

Passing a profile for a container

Users may pass a seccomp profile using the security-opt option (per-container).

The profile has layout in the following form:

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
        {
            "name": "getcwd",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "mount",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "setns",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "create_module",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "chown",
            "action": "SCMP_ACT_ERRNO"
        },
        {
            "name": "chmod",
            "action": "SCMP_ACT_ERRNO"
        }
    ]
}

Then you can run with:

$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world

1.4 KiB Raw Blame History

Seccomp security profiles for Docker

Passing a profile for a container

1.4 KiB

Raw Blame History