Home Explore Blog CI



docker

6th chunk of `content/manuals/engine/security/seccomp.md`
e7f5379a5e9245363b7d6fbd7fb513324837ca3dcf30b6900000000100000c6a
| `swapoff`           | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                        |
| `sysfs`             | Obsolete syscall.                                                                                                                                                                                                                              |
| `_sysctl`           | Obsolete, replaced by /proc/sys.                                                                                                                                                                                                               |
| `umount`            | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                               |
| `umount2`           | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                               |
| `unshare`           | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`.                                                                                                                              |
| `uselib`            | Older syscall related to shared libraries, unused for a long time.                                                                                                                                                                             |
| `userfaultfd`       | Userspace page fault handling, largely needed for process migration.                                                                                                                                                                           |
| `ustat`             | Obsolete syscall.                                                                                                                                                                                                                              |
| `vm86`              | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                        |
| `vm86old`           | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`.                                                                                                                                                                        |

## Run without the default seccomp profile

You can pass `unconfined` to run a container without the default seccomp
profile.

```console
$ docker run --rm -it --security-opt seccomp=unconfined debian:latest \
    unshare --map-root-user --user sh -c whoami
```

Title: Docker Seccomp Profile: Further Restrictions and Running Unconfined
Summary
This section details more system calls blocked by Docker's default seccomp profile for security reasons. These include `swapoff` (stopping swap), `sysfs` (sysfs access), `_sysctl` (kernel parameter modification), `umount` and `umount2` (unmounting file systems), `unshare` (namespace creation), `uselib` (shared library loading), `userfaultfd` (userspace page fault handling), `ustat` (file system statistics), and `vm86` and `vm86old` (x86 real mode virtualization). Many of these are also gated by the `CAP_SYS_ADMIN` capability. The document then explains how to run a container without the default seccomp profile using the `--security-opt seccomp=unconfined` flag, providing an example using `unshare`.