Restrict system calls inside docker container

邮差的信 提交于 2019-12-06 00:32:14

问题


How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.


回答1:


You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)

The supoprt for docker containers will be in docker 1.10: see issue 17142

allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.

PR 17989 has been merged.

It allows for passing a seccomp profile in the form of:

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

Example (based on Linux-specific Runtime Configuration - seccomp):

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious


来源:https://stackoverflow.com/questions/34870841/restrict-system-calls-inside-docker-container

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!