限制Docker容器内的系统调用 [英] Restrict system calls inside docker container
问题描述
如何限制在Docker容器内进行的任何系统调用。如果给定进程进行系统调用,它将被阻止。或者如何将seccomp与docker结合使用。
How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.
推荐答案
您可以在 适用于Docker的Seccomp安全配置文件(仅当内核配置了 CONFIG_SECCOMP $ c $时,此特性才可用c>已启用。)
You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP
enabled.)
docker容器的支持文件将位于docker 1.10中:请参阅问题17142
The supoprt for docker containers will be in docker 1.10: see issue 17142
允许引擎在容器运行时接受seccomp配置文件。
将来,我们可能希望提供内置配置文件,或在图像中烘焙配置文件。
allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.
< a href = https://github.com/docker/docker/pull/17989 rel = noreferrer> PR 17989 已被合并。
它允许以以下形式传递seccomp配置文件:
It allows for passing a seccomp profile in the form of:
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
示例(基于 Linux特定的运行时配置-seccomp ):
$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious
这篇关于限制Docker容器内的系统调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!