Docker's Seccomp Profile: Preventing Harmful System Calls (Continued)

5th chunk of `content/manuals/engine/security/seccomp.md`

1c63648538bb3a0391bf85c08757161e85c2802ac08807ea0000000100000951

| `set_mempolicy`     | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                                                                                                                                                        |
| `setns`             | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                     |
| `settimeofday`      | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
| `stime`             | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
| `swapon`            | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                        |
| `swapoff`           | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                        |
| `sysfs`             | Obsolete syscall.                                                                                                                                                                                                                              |
| `_sysctl`           | Obsolete, replaced by /proc/sys.                                                                                                                                                                                                               |
| `umount`            | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                               |

Title: Docker's Seccomp Profile: Preventing Harmful System Calls (Continued)

Summary

This section lists additional system calls blocked by Docker's default seccomp profile to enhance container security. These include `set_mempolicy` (memory policy modification), `setns` (namespace association), `settimeofday` and `stime` (system time manipulation), `swapon` and `swapoff` (swap management), `sysfs` (sysfs access), `_sysctl` (kernel parameter modification), and `umount` (unmounting filesystems). These calls are restricted to prevent containers from compromising the host system or other containers, with many already gated by capabilities like `CAP_SYS_ADMIN` and `CAP_SYS_TIME`.