MAC and seccomp

Mandatory Access Control systems

Docker works with major Linux MAC technologies such as AppArmor and SELinux.

Depending on your Linux distribution, Docker applies default AppArmor or SELinux profiles to all new containers, and according to the Docker documentation, the default profiles are moderately protective while providing wide application compatibility.

You can tell Docker to start containers without these policies, and you can configure your own. However, as with capabilities, configuring your own policies is very powerful but requires a lot of effort and testing.

seccomp

Docker uses seccomp to limit which syscalls a container can make to the host’s kernel.

• Syscalls are how applications ask the Linux kernel to perform tasks. At the time of writing, Linux has over 300 syscalls and the default Docker profile disables approximately 40-50.

• As per the Docker security philosophy, all new containers get a default seccomp profile configured with sensible defaults designed to provide moderate security without impacting application compatibility.

• As always, you can customize your own seccomp profiles or tell Docker to start containers without one. Unfortunately, the Linux syscall table is long, and configuring custom seccomp policies may be prohibitively complex for some users.

Final thoughts on the Linux security technologies

Docker supports most of the important Linux security technologies and ships with sensible defaults that add security without being too restrictive. The figure below shows how Docker uses them to build a defence in depth security posture with multiple layers.