Limit system calls inside a docker container

Question

Limit system calls inside a docker container

How can I limit the system call made inside the docker container. If this process calls a system call, it will be blocked. Or how can I use seccomp with docker.

+4

docker seccomp

Neetesh Jan 19 '16 at 7:27

source share

1 answer

VonC · Answer 1 · 2016-01-19T07:40:00+0000

You can see more in the section Seccomp Protective Profiles for Docker "(maturity is only available if the kernel is configured with it enabled CONFIG_SECCOMP.)

Supoprt for docker containers will be in docker 1.10: see issue 17142

seccomp .
.

PR 17989 .

seccomp :

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

( Linux - seccomp):

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious

Limit system calls inside a docker container

More articles: