github.com/walkingsparrow/docker@v1.4.2-0.20151218153551-b708a2249bfa/docs/security/seccomp.md (about) 1 <!-- [metadata]> 2 +++ 3 title = "Seccomp security profiles for Docker" 4 description = "Enabling seccomp in Docker" 5 keywords = ["seccomp, security, docker, documentation"] 6 +++ 7 <![end-metadata]--> 8 9 Seccomp security profiles for Docker 10 ------------------------------------ 11 12 The seccomp() system call operates on the Secure Computing (seccomp) 13 state of the calling process. 14 15 This operation is available only if the kernel is configured 16 with `CONFIG_SECCOMP` enabled. 17 18 This allows for allowing or denying of certain syscalls in a container. 19 20 Passing a profile for a container 21 --------------------------------- 22 23 Users may pass a seccomp profile using the `security-opt` option 24 (per-container). 25 26 The profile has layout in the following form: 27 28 ``` 29 { 30 "defaultAction": "SCMP_ACT_ALLOW", 31 "syscalls": [ 32 { 33 "name": "getcwd", 34 "action": "SCMP_ACT_ERRNO" 35 }, 36 { 37 "name": "mount", 38 "action": "SCMP_ACT_ERRNO" 39 }, 40 { 41 "name": "setns", 42 "action": "SCMP_ACT_ERRNO" 43 }, 44 { 45 "name": "create_module", 46 "action": "SCMP_ACT_ERRNO" 47 }, 48 { 49 "name": "chown", 50 "action": "SCMP_ACT_ERRNO" 51 }, 52 { 53 "name": "chmod", 54 "action": "SCMP_ACT_ERRNO" 55 } 56 ] 57 } 58 ``` 59 60 Then you can run with: 61 62 ``` 63 $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world 64 ```