How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.
Asked
Active
Viewed 3,191 times
1 Answers
5
You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)
The supoprt for docker containers will be in docker 1.10: see issue 17142
allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.
PR 17989 has been merged.
It allows for passing a seccomp profile in the form of:
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
Example (based on Linux-specific Runtime Configuration - seccomp):
$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious
VonC
- 1,262,500
- 529
- 4,410
- 5,250
-
Thank you but when I tried this command a error came saying Error response from daemon: Invalid --security-opt: "seccomp:unconfined" And please tell me how to know that my kernel is configured with CONFIG_SECCOMP enable and if not how to enable it. – Neetesh Jan 19 '16 at 18:03
-
That would be with docker 1.10-rc1 only – VonC Jan 19 '16 at 18:08
-
But I have docker 1.9 and still having the same problem. Please help – Neetesh Jan 19 '16 at 20:17
-
My point is: this is only supported by docker 1.10, not 1.9. Try docker 1.10-beta1 which just got out. – VonC Jan 19 '16 at 20:19