限制Docker容器内的系统调用 [英] Restrict system calls inside docker container

问题描述

如何限制在Docker容器内进行的任何系统调用。如果给定进程进行系统调用，它将被阻止。或者如何将seccomp与docker结合使用。

How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.

推荐答案

您可以在 适用于Docker的Seccomp安全配置文件（仅当内核配置了 CONFIG_SECCOMP 已启用。）

You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)

docker容器的支持文件将位于docker 1.10中：请参阅问题17142

The supoprt for docker containers will be in docker 1.10: see issue 17142

允许引擎在容器运行时接受seccomp配置文件。

将来，我们可能希望提供内置配置文件，或在图像中烘焙配置文件。

allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.

< a href = https://github.com/docker/docker/pull/17989 rel = noreferrer> PR 17989 已被合并。

它允许以以下形式传递seccomp配置文件：

It allows for passing a seccomp profile in the form of:

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

示例（基于 Linux特定的运行时配置-seccomp ）：

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious

这篇关于限制Docker容器内的系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！