docker - Docker seccomp 适用于 alpine/busybox 但不适用于 ubuntu

从docker-lab看来，您还缺少两个属性以使其正常与 Linux 一起工作

default-no-chmod.json 配置文件是对 default.json 配置文件> 的修改，其中chmod()、fchmod()和chmodat()syscall 从其白名单中删除。

安全-seccomp

{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
],
"syscalls": [
    {
        "name": "chmod",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    },
      {
        "name": "fchmod",
        "action": "SCMP_ACT_ERRNO",
        "args": [

        ]
      },
      {
        "name": "fchmodat",
        "action": "SCMP_ACT_ERRNO",
        "args": [

        ]
      },
    {
        "name": "chown",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    },
    {
        "name": "chown32",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    }] 
}

现在，如果您从 ubuntu 尝试过，您将得到预期的结果

docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh -c " chmod +x /etc/hosts"

chmod: changing permissions of '/etc/hosts': Operation not permitted

此外，busybox 的结果相同

docker run -it --security-opt seccomp=profile.json busybox /bin/sh -c " chmod +x /etc/host"
chmod: /etc/host: No such file or directory