Linux Seccomp

1

docker run docker/whalesay cowsay hello!

1

docker run -it --rm docker/whalesay /bin/sh

1

ps -ef

1
2
3

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 12:01 pts/0    00:00:00 /bin/sh
root         9     1  0 12:01 pts/0    00:00:00 ps -ef

1

grep Seccomp /proc/1/status

1
2

Seccomp:	2
Seccomp_filters:	1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ],
  "syscalls": [
    {
      "names": [
        "<syscall-1>",
        "<syscall-2>",
        "<syscall-3>"
      ],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ],
  "syscalls": [
    {
      "names": [
        "<syscall-1>",
        "<syscall-2>",
        "<syscall-3>"
      ],
      "action": "SCMP_ACT_ERRNO"
    }
  ]
}

1

docker run -it --rm --security-opt seccomp=whitelist.json docker/whalesay /bin/sh

1

docker run -it --rm --security-opt seccomp=unconfined docker/whalesay /bin/sh

1

date -s '19 APR 2012 22:00:00'

1

date: cannot set date: Operation not permitted