Home Explore Blog CI



docker
4th chunk of `content/manuals/engine/security/seccomp.md`
7e9813746dcc4d3ed79dbca17ba3e331088ede8b584d63800000000100000e7e
| `perf_event_open`   | Tracing/profiling syscall, which could leak a lot of information on the host.                                                                                                                                                                  |
| `personality`       | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulnerabilities.                                                                                                     |
| `pivot_root`        | Deny `pivot_root`, should be privileged operation.                                                                                                                                                                                             |
| `process_vm_readv`  | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
| `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
| `ptrace`            | Tracing/profiling syscall. Blocked in Linux kernel versions before 4.8 to avoid seccomp bypass. Tracing/profiling arbitrary processes is already blocked by dropping `CAP_SYS_PTRACE`, because it could leak a lot of information on the host. |
| `query_module`      | Deny manipulation and functions on kernel modules. Obsolete.                                                                                                                                                                                   |
| `quotactl`          | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`.                                                                                                               |
| `reboot`            | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`.                                                                                                                                                                            |
| `request_key`       | Prevent containers from using the kernel keyring, which is not namespaced.                                                                                                                                                                     |
| `set_mempolicy`     | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                                                                                                                                                        |
| `setns`             | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                     |
| `settimeofday`      | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
| `stime`             | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`.                                                                                                                                                                                     |
Title: Docker's Seccomp Profile: Preventing Harmful System Calls (Continued)
Summary
This section continues the list of system calls blocked by Docker's default seccomp profile, enhancing container security. These include `perf_event_open` (performance monitoring), `personality` (BSD emulation), `pivot_root` (filesystem manipulation), `process_vm_readv` and `process_vm_writev` (process memory access), `ptrace` (process tracing), `query_module` (kernel module manipulation), `quotactl` (disk quota management), `reboot` (system reboot), `request_key` (kernel keyring access), `set_mempolicy` (memory policy), `setns` (namespace manipulation), `settimeofday` and `stime` (system time setting). These calls are restricted to prevent containers from compromising the host system or other containers.