Docker Community Forums

Share and learn in the Docker community.

Seccomp profile

I have been delving into Seccomp recently and was curious what the 2080505856 value is in the default profile: https://github.com/moby/moby/blob/1.12.x/profiles/seccomp/default.json#L1586

I have found a deck referring to 0x7C020000 which may be failed to clone, but I do not see any official Docker/Moby docs on this.

Can anyone provide some insight into this?

You were right to start by translating it into hex, but there’s another step needed - Notice how the operation is “SCMP_CMP_MASKED_EQ”. This is a bitmask. The argument that’s being filtered with this mask is the 0th argument to the clone syscall, which is the ‘flags’ argument. So decompose this mask into its constituent parts and dereference them using the kernel headers that define the clone flags:

According to /usr/include/linux/sched.h, the value 0x7C020000 corresponds to the combination of all of the following flags:

#define CLONE_NEWNS         0x00020000      /* New mount namespace group */
#define CLONE_NEWUTS        0x04000000      /* New utsname namespace */
#define CLONE_NEWIPC        0x08000000      /* New ipc namespace */
#define CLONE_NEWUSER       0x10000000      /* New user namespace */
#define CLONE_NEWPID        0x20000000      /* New pid namespace */
#define CLONE_NEWNET        0x40000000      /* New network namespace */

So basically this rule in seccomp.json says “Anyone can call clone(2) as long as they don’t set any of these potentially dangerous flags when doing so”.