Information
Seccomp filtering provides a means for a process to specify a filter for incoming system
calls. The default Docker seccomp profile works on whitelist basis and allows 311 system
calls blocking all others. It should not be disabled unless it hinders your container
application usage.A large number of system calls are exposed to every userland process with many of them
going unused for the entire lifetime of the process. Most of the applications do not need all
the system calls and thus benefit by having a reduced set of available system calls. The
reduced set of system calls reduces the total kernel surface exposed to the application and
thus improvises application security.
Solution
By default, seccomp profiles are enabled. You do not need to do anything unless you want
to modify and use the modified seccomp profile.Impact-With Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of --
cap-add passed to the container. You should create your own custom seccomp profile in
such cases. You may also disable the default seccomp profile by passing --security-
opt=seccomp-unconfined on docker run.
Default Value-When you run a container, it uses the default profile unless you override it with the --
security-opt option.