Home Explore Blog CI



docker
3rd chunk of `content/manuals/engine/security/seccomp.md`
e027b12ff8ad6a03e310d1e96457f2376f4eb17a574b34270000000100001090
| `ioperm`            | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
| `iopl`              | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
| `kcmp`              | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
| `kexec_file_load`   | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`.                                                                                                                           |
| `kexec_load`        | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`.                                                                                                                                                                   |
| `keyctl`            | Prevent containers from using the kernel keyring, which is not namespaced.                                                                                                                                                                     |
| `lookup_dcookie`    | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                   |
| `mbind`             | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                                                                                                                                                        |
| `mount`             | Deny mounting, already gated by `CAP_SYS_ADMIN`.                                                                                                                                                                                               |
| `move_pages`        | Syscall that modifies kernel memory and NUMA settings.                                                                                                                                                                                         |
| `nfsservctl`        | Deny interaction with the kernel NFS daemon. Obsolete since Linux 3.1.                                                                                                                                                                         |
| `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`.                                                                                                                                                                       |
| `perf_event_open`   | Tracing/profiling syscall, which could leak a lot of information on the host.                                                                                                                                                                  |
| `personality`       | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulnerabilities.                                                                                                     |
| `pivot_root`        | Deny `pivot_root`, should be privileged operation.                                                                                                                                                                                             |
| `process_vm_readv`  | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
Title: More System Calls Blocked by Docker's Default Seccomp Profile
Summary
This section details further system calls that Docker's default seccomp profile blocks for security reasons. These include `kexec_load` (kernel loading), `keyctl` (kernel keyring access), `lookup_dcookie` (tracing/profiling), `mbind` (memory/NUMA settings), `mount` (mounting filesystems), `move_pages` (memory migration), `nfsservctl` (NFS daemon interaction), `open_by_handle_at` (file access), `perf_event_open` (performance monitoring), `personality` (BSD emulation), `pivot_root` (filesystem pivoting), and `process_vm_readv` (process memory reading), all deemed potentially dangerous or unnecessary for typical container workloads.