Restrict system calls inside docker container

Question

How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.

Answer 1

You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.)

The supoprt for docker containers will be in docker 1.10: see issue 17142

allowing the Engine to accept a seccomp profile at container run time.
In the future, we might want to ship builtin profiles, or bake profiles in the images.

PR 17989 has been merged.

It allows for passing a seccomp profile in the form of:

{
     "defaultAction": "SCMP_ACT_ALLOW",
     "syscalls": [
         {
             "name": "getcwd",
             "action": "SCMP_ACT_ERRNO"
         }
     ]
 }

Example (based on Linux-specific Runtime Configuration - seccomp):

$ docker run --rm -it --security-ops seccomp:/path/to/container-profile.json jess/i-am-malicious