MAC and seccomp
Mandatory Access Control systems
Docker works with major Linux MAC technologies such as AppArmor and SELinux.
Depending on your Linux distribution, Docker applies a default AppArmor profile to all new containers. According to the Docker documentation, this default profile is “moderately protective while providing wide application compatibility”.
Docker also lets you start containers without a policy applied, as well as giving you the ability to customize policies to meet specific requirements. This is also very powerful, but can also be prohibitively complex.
Docker uses seccomp, in filter mode, to limit the syscalls a container can make to the host’s kernel.
As per the Docker security philosophy, all new containers get a default seccomp profile configured with sensible defaults. This is intended to provide moderate security without impacting application compatibility.
As always, you can customize seccomp profiles, and you can pass a flag to Docker so that containers can be started without a seccomp profile.
As with many of the technologies already mentioned, seccomp is extremely powerful. However, the Linux syscall table is long, and configuring the appropriate seccomp policies can be prohibitively complex.
Concluding Linux security technologies
Docker supports most of the important Linux security technologies and ships with sensible defaults that add security but aren’t too restrictive. The figure below shows how these technologies form multiple layers of potential security.