docker security-opt

dockerd --security-opt

 

--security-opt="label=user:USER"Set the label user for the container--security-opt="label=role:ROLE"Set the label role for the container--security-opt="label=type:TYPE"Set the label type for the container--security-opt="label=level:LEVEL"Set the label level for the container--security-opt="label=disable"Tu off label confinement for the container
work with selinux --security-opt="apparmor=PROFILE"Set the apparmor profile to be applied to the container
work with  apparmor
-----------------------------------------------------------------------------------------
--security-opt="no-new-privileges:true" Disable container processes from gaining new privileges 

--security-opt="seccomp=unconfined" Tu off seccomp confinement for the container 

--security-opt="seccomp=profile.json" White-listed syscalls seccomp Json file to be used as a seccomp filter

 

cap

--cap-addAdd Linux capabilities--cap-dropDrop Linux capabilities--privilegedGive extended privileges to this container--device=[]Allows you to run devices inside the container without the --privileged flag.

SYS_MODULELoad and unload keel modules.SYS_RAWIOPerform I/O port operations (iopl(2) and ioperm(2)).SYS_PACCTUse acct(2), switch process accounting on or off.SYS_ADMINPerform a range of system administration operations.SYS_NICERaise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.SYS_RESOURCEOverride resource Limits.SYS_TIMESet system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.SYS_TTY_CONFIGUse vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.AUDIT_CONTROLEnable and disable keel auditing; change auditing filter rules; retrieve auditing status and filtering rules.MAC_ADMINAllow MAC configuration or state changes. Implemented for the Smack LSM.MAC_OVERRIDEOverride Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).NET_ADMINPerform various network-related operations.SYSLOGPerform privileged syslog(2) operations.DAC_READ_SEARCHBypass file read permission checks and directory read and execute permission checks.LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.NET_BROADCASTMake socket broadcasts, and listen to multicasts.IPC_LOCKLock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).IPC_OWNERBypass permission checks for operations on System V IPC objects.SYS_PTRACETrace arbitrary processes using ptrace(2).SYS_BOOTUse reboot(2) and kexec_load(2), reboot and load a new keel for later execution.LEASEEstablish leases on arbitrary files (see fcntl(2)).WAKE_ALARMTrigger something that will wake up the system.BLOCK_SUSPENDEmploy features that can block system suspend.