docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21651 from dvdksn/seccomp-freshness 

seccomp freshness
This commit is contained in:
David Karlsson 2024-12-18 09:36:52 +01:00 committed by GitHub
parent 1c75da7964 0a4d8cf004
commit 54fcccd75e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 66 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_vale/Docker/Acronyms.yml
View File

@ -17,6 +17,7 @@ exceptions:
- AWS - AWS
- BIOS - BIOS
- BPF - BPF
- BSD
- CI - CI
- CISA - CISA
- CLI - CLI
@ -73,6 +74,7 @@ exceptions:
- NFS - NFS
- NOTE - NOTE
- NTLM - NTLM
- NUMA
- NVDA - NVDA
- OCI - OCI
- OS - OS

14
_vale/config/vocabularies/Docker/accept.txt
View File

@ -20,8 +20,8 @@ Couchbase
Datadog Datadog
Ddosify Ddosify
Debootstrap Debootstrap
Dev Environments?
Dev Dev
Dev Environments?
Django Django
Docker Build Cloud Docker Build Cloud
Docker Business Docker Business
@ -73,8 +73,8 @@ Nuxeo
OAuth OAuth
OTel OTel
Okta Okta
Paketo
PKG PKG
Paketo
Postgres Postgres
PowerShell PowerShell
Python Python
@ -98,8 +98,9 @@ WireMock
Zscaler Zscaler
Zsh Zsh
[Aa]utobuild [Aa]utobuild
[Bb]uildx [Aa]llowlist
[Bb]uildpack(s)? [Bb]uildpack(s)?
[Bb]uildx
[Cc]odenames? [Cc]odenames?
[Cc]ompose [Cc]ompose
[Dd]istroless [Dd]istroless
@ -134,6 +135,10 @@ Zsh
[Ss]ysfs [Ss]ysfs
[Tt]oolchains? [Tt]oolchains?
[Uu]narchived? [Uu]narchived?
[Uu]ngated
[Uu]ntrusted
[Uu]serland
[Uu]serspace
[Vv]irtiofs [Vv]irtiofs
[Vv]irtualize [Vv]irtualize
[Ww]alkthrough [Ww]alkthrough
@ -178,8 +183,5 @@ systemd
tmpfs tmpfs
ufw ufw
umask umask
ungated
userland
untrusted
vSphere vSphere
vpnkit vpnkit

18
content/manuals/engine/security/seccomp.md
View File

@ -26,8 +26,8 @@ protective while providing wide application compatibility. The default Docker
profile can be found profile can be found
[here](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json). [here](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).
In effect, the profile is an allowlist which denies access to system calls by In effect, the profile is an allowlist that denies access to system calls by
default, then allowlists specific system calls. The profile works by defining a default and then allows specific system calls. The profile works by defining a
`defaultAction` of `SCMP_ACT_ERRNO` and overriding that action only for specific `defaultAction` of `SCMP_ACT_ERRNO` and overriding that action only for specific
system calls. The effect of `SCMP_ACT_ERRNO` is to cause a `Permission Denied` system calls. The effect of `SCMP_ACT_ERRNO` is to cause a `Permission Denied`
error. Next, the profile defines a specific list of system calls which are fully error. Next, the profile defines a specific list of system calls which are fully
@ -53,17 +53,17 @@ $ docker run --rm \
Docker's default seccomp profile is an allowlist which specifies the calls that Docker's default seccomp profile is an allowlist which specifies the calls that
are allowed. The table below lists the significant (but not all) syscalls that are allowed. The table below lists the significant (but not all) syscalls that
are effectively blocked because they are not on the Allowlist. The table includes are effectively blocked because they are not on the allowlist. The table includes
the reason each syscall is blocked rather than white-listed. the reason each syscall is blocked rather than white-listed.
| Syscall | Description | | Syscall | Description |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------| | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `acct` | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`. | | `acct` | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`. |
| `add_key` | Prevent containers from using the kernel keyring, which is not namespaced. | | `add_key` | Prevent containers from using the kernel keyring, which is not namespaced. |
| `bpf` | Deny loading potentially persistent bpf programs into kernel, already gated by `CAP_SYS_ADMIN`. | | `bpf` | Deny loading potentially persistent BPF programs into kernel, already gated by `CAP_SYS_ADMIN`. |
| `clock_adjtime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | | `clock_adjtime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
| `clock_settime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | | `clock_settime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
| `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE_* flags, except `CLONE_NEWUSER`. | | `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE\_\* flags, except `CLONE_NEWUSER`. |
| `create_module` | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE`. | | `create_module` | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE`. |
| `delete_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. | | `delete_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
| `finit_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. | | `finit_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
@ -80,10 +80,10 @@ the reason each syscall is blocked rather than white-listed.
| `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | | `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. |
| `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. | | `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. |
| `move_pages` | Syscall that modifies kernel memory and NUMA settings. | | `move_pages` | Syscall that modifies kernel memory and NUMA settings. |
| `nfsservctl` | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. | | `nfsservctl` | Deny interaction with the kernel NFS daemon. Obsolete since Linux 3.1. |
| `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`. | | `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`. |
| `perf_event_open` | Tracing/profiling syscall, which could leak a lot of information on the host. | | `perf_event_open` | Tracing/profiling syscall, which could leak a lot of information on the host. |
| `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. | | `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulnerabilities. |
| `pivot_root` | Deny `pivot_root`, should be privileged operation. | | `pivot_root` | Deny `pivot_root`, should be privileged operation. |
| `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. | | `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. |
| `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. | | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. |
@ -115,6 +115,6 @@ You can pass `unconfined` to run a container without the default seccomp
profile. profile.
```console ```console
$ docker run --rm -it --security-opt seccomp=unconfined debian:jessie \ $ docker run --rm -it --security-opt seccomp=unconfined debian:latest \
unshare --map-root-user --user sh -c whoami unshare --map-root-user --user sh -c whoami
``` ```