Home Explore Blog CI



docker
2nd chunk of `content/manuals/engine/security/seccomp.md`
2f210ae6a50b9f6214d0f0edb3cb4d9dfdce2cdac38205ec0000000100001090
| `acct`              | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`.                                                                                                          |
| `add_key`           | Prevent containers from using the kernel keyring, which is not namespaced.                                                                                                                                                                     |
| `bpf`               | Deny loading potentially persistent BPF programs into kernel, already gated by `CAP_SYS_ADMIN`.                                                                                                                                                |
| `clock_adjtime`     | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
| `clock_settime`     | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
| `clone`             | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE\_\* flags, except `CLONE_NEWUSER`.                                                                                                                                        |
| `create_module`     | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                   |
| `delete_module`     | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                             |
| `finit_module`      | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                             |
| `get_kernel_syms`   | Deny retrieval of exported kernel and module symbols. Obsolete.                                                                                                                                                                                |
| `get_mempolicy`     | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                                                                                                                                                        |
| `init_module`       | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                             |
| `ioperm`            | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
| `iopl`              | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
| `kcmp`              | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
| `kexec_file_load`   | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`.                                                                                                                           |
Title: Significant System Calls Blocked by Docker's Default Seccomp Profile (Continued)
Summary
This section continues the list of significant system calls blocked by Docker's default seccomp profile, explaining why they are not whitelisted. These include calls like `clock_settime` (time management), `clone` (process creation), `create_module`, `delete_module`, `finit_module`, `init_module` (kernel module manipulation), `get_kernel_syms` (kernel symbol retrieval), `get_mempolicy` (memory management), `ioperm`, `iopl` (I/O privilege modification), `kcmp` (process inspection), and `kexec_file_load` (kernel loading), all blocked to prevent containers from compromising system security.