Restrict system calls inside docker container

2020-07-10 11:04发布

How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.

标签： docker seccomp

1条回答

小情绪 Triste *

2楼-- · 2020-07-10 11:41

You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)

The supoprt for docker containers will be in docker 1.10: see issue 17142

allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.

PR 17989 has been merged.

It allows for passing a seccomp profile in the form of:

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

Example (based on Linux-specific Runtime Configuration - seccomp):

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious

0人赞添加讨论(0) 举报

Restrict system calls inside docker container

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间