Document new rules for seccomp profile#776
Merged
mdlinville merged 1 commit intodocker:vnext-enginefrom Jan 20, 2017
mdlinville:29076_seccomp_update
Merged
Document new rules for seccomp profile#776mdlinville merged 1 commit intodocker:vnext-enginefrom mdlinville:29076_seccomp_update
mdlinville merged 1 commit intodocker:vnext-enginefrom
mdlinville:29076_seccomp_update
Conversation
riyazdf
approved these changes
Dec 2, 2016
Contributor
riyazdf
left a comment
riyazdf
left a comment
There was a problem hiding this comment.
Socket changes LGTM after nits and thank you for revamping other sections of the page!
engine/security/seccomp.md
Outdated
|
|
||
| ``` | ||
| $ docker run --rm -it --security-opt seccomp=/path/to/seccomp/profile.json hello-world | ||
| In general, these allowances are required for Docker to run correctly. It is not |
Contributor
There was a problem hiding this comment.
I think more so than running "correctly," seccomp is instrumental for running Docker containers with least privilege
engine/security/seccomp.md
Outdated
| | `setns` | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`. | | ||
| | `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | | ||
| | `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | ||
| | `socket`, `socketcall` | Used to send or receive packets and for other socket operations. All `socket` and `socketcall` calls are blocked except types `AF_UNIX`, `AF_INET`, `AF_INET6`, `AF_NETLINK`, and `AF_PACKET`. | |
Contributor
There was a problem hiding this comment.
Instead of "types," I think "communication domains" is more appropriate: http://man7.org/linux/man-pages/man2/socket.2.html
Contributor
|
Also I think this change is landing in 1.14, @justincormack can confirm |
mdlinville
force-pushed
the
vnext-engine
branch
from
76f8872 to
38e8dd6
Compare
mdlinville
changed the title
mdlinville
force-pushed
the
vnext-engine
branch
from
39b0357 to
c2f3645
Compare
mdlinville
changed the title
mdlinville
force-pushed
the
vnext-engine
branch
from
a054aed to
8fe746b
Compare
Contributor
|
@mstanleyjones: we cherry-picked the code change for 17.03, so can we release these earlier? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe the proposed changes
Document new seccomp rules from moby/moby#29076
Unreleased project version
Engine 1.14
Related issue or PR in another project
https://github.com/docker/docker/pull/29076/files
Please take a look
@justincormack @riyazdf
Can you also please clarify the version where this will land? I've put 1.13 for now...