docker为了保证主机安全,docker开了很多安全设置,其中包括ASLR(Address space layout randomization),即docker里的内存地址和主机内存地址是不一样的。
acct |
Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
add_key |
Prevent containers from using the kernel keyring, which is not namespaced. |
adjtimex |
Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
bpf |
Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
clock_adjtime |
Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clock_settime |
Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clone |
Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
create_module |
Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
delete_module |
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
finit_module |
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
get_kernel_syms |
Deny retrieval of exported kernel and module symbols. Obsolete. |
get_mempolicy |
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
init_module |
Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
ioperm |
Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
iopl |
Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
kcmp |
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
kexec_file_load |
Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
kexec_load |
Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
keyctl |
Prevent containers from using the kernel keyring, which is not namespaced. |
lookup_dcookie |
Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
mbind |
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
mount |
Deny mounting, already gated by CAP_SYS_ADMIN. |
move_pages |
Syscall that modifies kernel memory and NUMA settings. |
name_to_handle_at |
Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
nfsservctl |
Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
open_by_handle_at |
Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
perf_event_open |
Tracing/profiling syscall, which could leak a lot of information on the host. |
personality |
Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
pivot_root |
Deny pivot_root, should be privileged operation. |
process_vm_readv |
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
process_vm_writev |
Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
ptrace |
Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
query_module |
Deny manipulation and functions on kernel modules. Obsolete. |
quotactl |
Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
reboot |
Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
request_key |
Prevent containers from using the kernel keyring, which is not namespaced. |
set_mempolicy |
Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
setns |
Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
settimeofday |
Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
socket, socketcall |
Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
stime |
Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
swapon |
Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
swapoff |
Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
sysfs |
Obsolete syscall. |
_sysctl |
Obsolete, replaced by /proc/sys. |
umount |
Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
umount2 |
Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
unshare |
Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
uselib |
Older syscall related to shared libraries, unused for a long time. |
userfaultfd |
Userspace page fault handling, largely needed for process migration. |
ustat |
Obsolete syscall. |
vm86 |
In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
vm86old |
In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |