containers
/
storage
mirror of https://github.com/containers/storage.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update seccomp.md 

Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.

Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
This commit is contained in:
Steven Iveson 2016-02-29 16:03:31 +00:00 committed by Steven Iveson
parent eb22fcc229
commit 244e5fc516
1 changed files with 22 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/security/seccomp.md
View File

@ -28,37 +28,29 @@ enabled.
## Passing a profile for a container ## Passing a profile for a container
The default seccomp profile provides a sane default for running containers with The default seccomp profile provides a sane default for running containers with
seccomp. It is moderately protective while providing wide application seccomp and disables around 44 system calls out of 300+. It is moderately protective while providing wide application
compatibility. The default Docker profile has layout in the following form: compatibility. The default Docker profile (found [here](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json) has a JSON layout in the following form:
``` ```
{ {
"defaultAction": "SCMP_ACT_ALLOW", "defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [ "syscalls": [
{ {
"name": "getcwd", "name": "accept",
"action": "SCMP_ACT_ERRNO" "action": "SCMP_ACT_ALLOW",
"args": []
}, },
{ {
"name": "mount", "name": "accept4",
"action": "SCMP_ACT_ERRNO" "action": "SCMP_ACT_ALLOW",
}, "args": []
{
"name": "setns",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "create_module",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "chown",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO"
} }
...
] ]
} }
``` ```
@ -71,7 +63,7 @@ specifies the default policy:
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world $ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
``` ```
### Syscalls blocked by the default profile ### Significant syscalls blocked by the default profile
Docker's default seccomp profile is a whitelist which specifies the calls that Docker's default seccomp profile is a whitelist which specifies the calls that
are allowed. The table below lists the significant (but not all) syscalls that are allowed. The table below lists the significant (but not all) syscalls that