File tree Expand file tree Collapse file tree 1 file changed +64
-0
lines changed
Expand file tree Collapse file tree 1 file changed +64
-0
lines changed Original file line number Diff line number Diff line change 1+ <!-- [metadata]>
2+ +++
3+ title = "Seccomp security profiles for Docker"
4+ description = "Enabling seccomp in Docker"
5+ keywords = ["seccomp, security, docker, documentation"]
6+ +++
7+ <![end-metadata]-->
8+
9+ Seccomp security profiles for Docker
10+ ------------------------------------
11+
12+ The seccomp() system call operates on the Secure Computing (seccomp)
13+ state of the calling process.
14+
15+ This operation is available only if the kernel is configured
16+ with ` CONFIG_SECCOMP ` enabled.
17+
18+ This allows for allowing or denying of certain syscalls in a container.
19+
20+ Passing a profile for a container
21+ ---------------------------------
22+
23+ Users may pass a seccomp profile using the ` security-opt ` option
24+ (per-container).
25+
26+ The profile has layout in the following form:
27+
28+ ```
29+ {
30+ "defaultAction": "SCMP_ACT_ALLOW",
31+ "syscalls": [
32+ {
33+ "name": "getcwd",
34+ "action": "SCMP_ACT_ERRNO"
35+ },
36+ {
37+ "name": "mount",
38+ "action": "SCMP_ACT_ERRNO"
39+ },
40+ {
41+ "name": "setns",
42+ "action": "SCMP_ACT_ERRNO"
43+ },
44+ {
45+ "name": "create_module",
46+ "action": "SCMP_ACT_ERRNO"
47+ },
48+ {
49+ "name": "chown",
50+ "action": "SCMP_ACT_ERRNO"
51+ },
52+ {
53+ "name": "chmod",
54+ "action": "SCMP_ACT_ERRNO"
55+ }
56+ ]
57+ }
58+ ```
59+
60+ Then you can run with:
61+
62+ ```
63+ $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
64+ ```
You can’t perform that action at this time.
0 commit comments