✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.4.1 Seccomp Profile

A focused guide to Seccomp Profile, connecting core concepts with practical Docker and container operations.

A seccomp profile restricts which system calls a container's process is permitted to make, providing a kernel-enforced restriction beneath the level of capabilities or file permissions, blocking access to a wide range of system calls a typical containerized application has no legitimate need for.

Docker's Default Seccomp Profile

Without any explicit configuration, Docker applies a default seccomp profile that already blocks a substantial number of system calls considered unnecessary or risky for ordinary containers.

docker run myapp:1.0

This benefits from Docker's default seccomp restriction automatically, without requiring any explicit --security-opt configuration.

Disabling Seccomp Restriction (Generally Not Recommended)

Seccomp filtering can be disabled entirely, though doing so removes this layer of protection and should only be done for a specific, well-understood reason.

docker run --security-opt seccomp=unconfined myapp:1.0

This removes Docker's default seccomp restriction, a meaningful reduction in security posture that should be a deliberate, justified exception rather than a casual choice.

Applying a Custom, More Restrictive Profile

A custom seccomp profile can restrict system calls further than Docker's general-purpose default, tailored to a specific application's actual, narrower needs.

docker run --security-opt seccomp=custom-profile.json myapp:1.0

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "syscalls": [
    {"names": ["read", "write", "open", "close"], "action": "SCMP_ACT_ALLOW"}
  ]
}

A profile this restrictive permits only an explicitly allowed, minimal set of system calls, blocking everything else by default.

Identifying Required System Calls for a Custom Profile

Building an effective custom profile typically requires observing which system calls an application actually uses during normal operation, to avoid blocking something genuinely needed.

strace -c -f docker run --rm myapp:1.0
Why Seccomp Profiles Matter

Seccomp filtering provides an important, kernel-enforced restriction on a container's actual system call surface, and understanding both Docker's sensible default and the option to apply an even more tailored, restrictive profile is valuable for applications with particularly demanding security requirements.

Related content