Restrict system calls inside docker container

杀马特。学长 韩版系。学妹 提交于 2019-12-04 06:46:56

You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)

The supoprt for docker containers will be in docker 1.10: see issue 17142

allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.

PR 17989 has been merged.

It allows for passing a seccomp profile in the form of:

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

Example (based on Linux-specific Runtime Configuration - seccomp):

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious
标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!