docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21651 from dvdksn/seccomp-freshness 

seccomp freshness
This commit is contained in:
David Karlsson 2024-12-18 09:36:52 +01:00 committed by GitHub
parent 1c75da7964 0a4d8cf004
commit 54fcccd75e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 66 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_vale/Docker/Acronyms.yml
View File

@ -17,6 +17,7 @@ exceptions:
- AWS
- BIOS
- BPF
- BSD
- CI
- CISA
- CLI
@ -73,6 +74,7 @@ exceptions:
- NFS
- NOTE
- NTLM
- NUMA
- NVDA
- OCI
- OS

14
_vale/config/vocabularies/Docker/accept.txt
View File

@ -20,8 +20,8 @@ Couchbase
Datadog
Ddosify
Debootstrap
Dev Environments?
Dev
Dev Environments?
Django
Docker Build Cloud
Docker Business
@ -73,8 +73,8 @@ Nuxeo
OAuth
OTel
Okta
Paketo
PKG
Paketo
Postgres
PowerShell
Python
@ -98,8 +98,9 @@ WireMock
Zscaler
Zsh
[Aa]utobuild
[Bb]uildx
[Aa]llowlist
[Bb]uildpack(s)?
[Bb]uildx
[Cc]odenames?
[Cc]ompose
[Dd]istroless
@ -134,6 +135,10 @@ Zsh
[Ss]ysfs
[Tt]oolchains?
[Uu]narchived?
[Uu]ngated
[Uu]ntrusted
[Uu]serland
[Uu]serspace
[Vv]irtiofs
[Vv]irtualize
[Ww]alkthrough
@ -178,8 +183,5 @@ systemd
tmpfs
ufw
umask
ungated
userland
untrusted
vSphere
vpnkit

18
content/manuals/engine/security/seccomp.md
View File

@ -26,8 +26,8 @@ protective while providing wide application compatibility. The default Docker
profile can be found
[here](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).
In effect, the profile is an allowlist which denies access to system calls by
default, then allowlists specific system calls. The profile works by defining a
In effect, the profile is an allowlist that denies access to system calls by
default and then allows specific system calls. The profile works by defining a
`defaultAction` of `SCMP_ACT_ERRNO` and overriding that action only for specific
system calls. The effect of `SCMP_ACT_ERRNO` is to cause a `Permission Denied`
error. Next, the profile defines a specific list of system calls which are fully
@ -53,17 +53,17 @@ $ docker run --rm \
Docker's default seccomp profile is an allowlist which specifies the calls that
are allowed. The table below lists the significant (but not all) syscalls that
are effectively blocked because they are not on the Allowlist. The table includes
are effectively blocked because they are not on the allowlist. The table includes
the reason each syscall is blocked rather than white-listed.
| Syscall | Description |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `acct` | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`. |
| `add_key` | Prevent containers from using the kernel keyring, which is not namespaced. |
| `bpf` | Deny loading potentially persistent bpf programs into kernel, already gated by `CAP_SYS_ADMIN`. |
| `bpf` | Deny loading potentially persistent BPF programs into kernel, already gated by `CAP_SYS_ADMIN`. |
| `clock_adjtime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
| `clock_settime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
| `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE_* flags, except `CLONE_NEWUSER`. |
| `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE\_\* flags, except `CLONE_NEWUSER`. |
| `create_module` | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE`. |
| `delete_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
| `finit_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
@ -80,10 +80,10 @@ the reason each syscall is blocked rather than white-listed.
| `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. |
| `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. |
| `move_pages` | Syscall that modifies kernel memory and NUMA settings. |
| `nfsservctl` | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
| `nfsservctl` | Deny interaction with the kernel NFS daemon. Obsolete since Linux 3.1. |
| `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`. |
| `perf_event_open` | Tracing/profiling syscall, which could leak a lot of information on the host. |
| `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
| `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulnerabilities. |
| `pivot_root` | Deny `pivot_root`, should be privileged operation. |
| `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. |
| `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. |
@ -115,6 +115,6 @@ You can pass `unconfined` to run a container without the default seccomp
profile.
```console
$ docker run --rm -it --security-opt seccomp=unconfined debian:jessie \
$ docker run --rm -it --security-opt seccomp=unconfined debian:latest \
unshare --map-root-user --user sh -c whoami
```