Docker Seccomp 配置深度解析:原理与自定义实践
在容器安全体系中,Seccomp(Secure Computing Mode) 是 Linux 内核提供的一种沙箱机制,用于限制进程可以发起的系统调用。Docker 利用 Seccomp 为容器构建了一道内核级防线,即便攻击者获得了容器内的代码执行权限,也无法调用危险的系统调用(如加载内核模块、修改内核参数),从而显著缩小攻击面,防止容器逃逸。
一、Seccomp 的核心概念
| 概念 | 描述 |
|---|---|
| 系统调用(syscall) | 用户态程序请求内核服务的接口,如打开文件(open)、创建进程(clone)、挂载文件系统(mount)等。 |
| Seccomp | Linux 内核特性,允许进程定义允许/禁止的系统调用列表。一旦设置,违反规则的调用会直接失败或被内核终止。 |
| Seccomp 配置文件(Profile) | JSON 文件,定义允许哪些系统调用,以及针对每个调用的默认动作(允许、拒绝、杀死进程等)和特定调用的覆盖规则。 |
Docker 容器默认启用 Seccomp,并加载一个内置的默认配置文件 ,该文件禁止了约 40 多个危险系统调用(如 reboot、kexec_load、mount 的部分用法等),同时放行绝大多数常用调用,在安全性和兼容性间取得平衡。
二、Docker 中 Seccomp 的工作机制
Docker 守护进程在创建容器时,会通过 libseccomp 库将 Seccomp 配置应用到容器的进程上。整个过程对容器内应用透明,无需修改代码。
#mermaid-svg-odnh2bxO8SV7cbpk{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-odnh2bxO8SV7cbpk .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-odnh2bxO8SV7cbpk .error-icon{fill:#552222;}#mermaid-svg-odnh2bxO8SV7cbpk .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-odnh2bxO8SV7cbpk .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-odnh2bxO8SV7cbpk .marker{fill:#333333;stroke:#333333;}#mermaid-svg-odnh2bxO8SV7cbpk .marker.cross{stroke:#333333;}#mermaid-svg-odnh2bxO8SV7cbpk svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-odnh2bxO8SV7cbpk p{margin:0;}#mermaid-svg-odnh2bxO8SV7cbpk .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-odnh2bxO8SV7cbpk .cluster-label text{fill:#333;}#mermaid-svg-odnh2bxO8SV7cbpk .cluster-label span{color:#333;}#mermaid-svg-odnh2bxO8SV7cbpk .cluster-label span p{background-color:transparent;}#mermaid-svg-odnh2bxO8SV7cbpk .label text,#mermaid-svg-odnh2bxO8SV7cbpk span{fill:#333;color:#333;}#mermaid-svg-odnh2bxO8SV7cbpk .node rect,#mermaid-svg-odnh2bxO8SV7cbpk .node circle,#mermaid-svg-odnh2bxO8SV7cbpk .node ellipse,#mermaid-svg-odnh2bxO8SV7cbpk .node polygon,#mermaid-svg-odnh2bxO8SV7cbpk .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-odnh2bxO8SV7cbpk .rough-node .label text,#mermaid-svg-odnh2bxO8SV7cbpk .node .label text,#mermaid-svg-odnh2bxO8SV7cbpk .image-shape .label,#mermaid-svg-odnh2bxO8SV7cbpk .icon-shape .label{text-anchor:middle;}#mermaid-svg-odnh2bxO8SV7cbpk .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-odnh2bxO8SV7cbpk .rough-node .label,#mermaid-svg-odnh2bxO8SV7cbpk .node .label,#mermaid-svg-odnh2bxO8SV7cbpk .image-shape .label,#mermaid-svg-odnh2bxO8SV7cbpk .icon-shape .label{text-align:center;}#mermaid-svg-odnh2bxO8SV7cbpk .node.clickable{cursor:pointer;}#mermaid-svg-odnh2bxO8SV7cbpk .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-odnh2bxO8SV7cbpk .arrowheadPath{fill:#333333;}#mermaid-svg-odnh2bxO8SV7cbpk .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-odnh2bxO8SV7cbpk .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-odnh2bxO8SV7cbpk .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-odnh2bxO8SV7cbpk .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-odnh2bxO8SV7cbpk .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-odnh2bxO8SV7cbpk .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-odnh2bxO8SV7cbpk .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-odnh2bxO8SV7cbpk .cluster text{fill:#333;}#mermaid-svg-odnh2bxO8SV7cbpk .cluster span{color:#333;}#mermaid-svg-odnh2bxO8SV7cbpk div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-odnh2bxO8SV7cbpk .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-odnh2bxO8SV7cbpk rect.text{fill:none;stroke-width:0;}#mermaid-svg-odnh2bxO8SV7cbpk .icon-shape,#mermaid-svg-odnh2bxO8SV7cbpk .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-odnh2bxO8SV7cbpk .icon-shape p,#mermaid-svg-odnh2bxO8SV7cbpk .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-odnh2bxO8SV7cbpk .icon-shape .label rect,#mermaid-svg-odnh2bxO8SV7cbpk .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-odnh2bxO8SV7cbpk .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-odnh2bxO8SV7cbpk .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-odnh2bxO8SV7cbpk :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 默认
自定义
允许
拒绝/违规
用户启动容器
docker run
Docker Daemon
Seccomp 配置来源
内置默认 Profile
--security-opt seccomp=/path/to/profile.json
containerd
runc
Linux Kernel
应用 Seccomp 过滤器到容器进程
进程发起系统调用
执行系统调用
执行动作: 杀死进程/返回错误
流程说明:
- 用户通过
docker run启动容器,可指定--security-opt seccomp=<profile>来使用自定义配置;若不指定,则使用 Docker 内置的默认配置。 - Docker Daemon 将配置传递给容器运行时(containerd → runc)。
- runc 在启动容器进程前,将 Seccomp 过滤器加载到内核中。
- 容器内进程每次发起系统调用,内核都会检查该调用是否被允许。若被拒绝,根据配置可返回错误(
SCMP_ACT_ERRNO)或直接杀死进程(SCMP_ACT_KILL)。
三、默认 Seccomp 配置文件
Docker 的默认 Seccomp 配置位于源码中,采用了白名单模式(仅禁止特定高危调用)。它包含以下关键部分:
- defaultAction :
SCMP_ACT_ERRNO(默认返回错误,避免直接杀死进程)。 - architectures:支持 amd64、arm64 等。
- syscalls:一个数组,每个元素可指定一个或多个系统调用名,以及对应的动作。
默认禁用的调用示例:clock_settime、kexec_load、mount(部分选项)、reboot、setns(限制 namespace 切换)等。
为什么不是全拒绝白名单?
因为不同应用依赖的系统调用差异巨大,全白名单会导致绝大多数容器无法启动。Docker 的策略是默认放行大部分安全调用,仅阻断已知的危险调用。
四、如何自定义 Seccomp 配置(理论步骤)
当默认配置过于宽松或过于严格时,可根据应用需求定制。自定义过程遵循以下步骤:
-
获取默认配置作为模板
从 Docker 源码或官方文档获取默认的 JSON 配置文件,以此为基础修改,避免遗漏必要调用。
-
确定自定义目标
- 加固:额外禁用一些不必要的系统调用,进一步减小攻击面。
- 兼容:开放某些被默认禁用的调用,满足特定应用(如调试工具、特殊数据库)需要。
-
修改配置
- 修改
defaultAction:可设为SCMP_ACT_ERRNO或更严格的SCMP_ACT_KILL。 - 在
syscalls数组中添加新规则,针对特定系统调用指定action。 - 可利用
names、action、args等字段精细化控制(例如只允许mount的特定参数组合)。
- 修改
-
验证与测试
使用
strace等工具在容器内追踪应用的实际系统调用,确保自定义配置不会导致应用异常。通过docker run --security-opt seccomp=<profile>加载测试。 -
部署与维护
将最终配置纳入版本管理,通过 CI/CD 自动应用到容器。
自定义配置决策树:
#mermaid-svg-DpgmO48ZgYGfrqFq{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-DpgmO48ZgYGfrqFq .error-icon{fill:#552222;}#mermaid-svg-DpgmO48ZgYGfrqFq .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-DpgmO48ZgYGfrqFq .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-DpgmO48ZgYGfrqFq .marker{fill:#333333;stroke:#333333;}#mermaid-svg-DpgmO48ZgYGfrqFq .marker.cross{stroke:#333333;}#mermaid-svg-DpgmO48ZgYGfrqFq svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-DpgmO48ZgYGfrqFq p{margin:0;}#mermaid-svg-DpgmO48ZgYGfrqFq .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster-label text{fill:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster-label span{color:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster-label span p{background-color:transparent;}#mermaid-svg-DpgmO48ZgYGfrqFq .label text,#mermaid-svg-DpgmO48ZgYGfrqFq span{fill:#333;color:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq .node rect,#mermaid-svg-DpgmO48ZgYGfrqFq .node circle,#mermaid-svg-DpgmO48ZgYGfrqFq .node ellipse,#mermaid-svg-DpgmO48ZgYGfrqFq .node polygon,#mermaid-svg-DpgmO48ZgYGfrqFq .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-DpgmO48ZgYGfrqFq .rough-node .label text,#mermaid-svg-DpgmO48ZgYGfrqFq .node .label text,#mermaid-svg-DpgmO48ZgYGfrqFq .image-shape .label,#mermaid-svg-DpgmO48ZgYGfrqFq .icon-shape .label{text-anchor:middle;}#mermaid-svg-DpgmO48ZgYGfrqFq .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-DpgmO48ZgYGfrqFq .rough-node .label,#mermaid-svg-DpgmO48ZgYGfrqFq .node .label,#mermaid-svg-DpgmO48ZgYGfrqFq .image-shape .label,#mermaid-svg-DpgmO48ZgYGfrqFq .icon-shape .label{text-align:center;}#mermaid-svg-DpgmO48ZgYGfrqFq .node.clickable{cursor:pointer;}#mermaid-svg-DpgmO48ZgYGfrqFq .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-DpgmO48ZgYGfrqFq .arrowheadPath{fill:#333333;}#mermaid-svg-DpgmO48ZgYGfrqFq .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-DpgmO48ZgYGfrqFq .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-DpgmO48ZgYGfrqFq .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-DpgmO48ZgYGfrqFq .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-DpgmO48ZgYGfrqFq .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-DpgmO48ZgYGfrqFq .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster text{fill:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq .cluster span{color:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-DpgmO48ZgYGfrqFq .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-DpgmO48ZgYGfrqFq rect.text{fill:none;stroke-width:0;}#mermaid-svg-DpgmO48ZgYGfrqFq .icon-shape,#mermaid-svg-DpgmO48ZgYGfrqFq .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-DpgmO48ZgYGfrqFq .icon-shape p,#mermaid-svg-DpgmO48ZgYGfrqFq .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-DpgmO48ZgYGfrqFq .icon-shape .label rect,#mermaid-svg-DpgmO48ZgYGfrqFq .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-DpgmO48ZgYGfrqFq .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-DpgmO48ZgYGfrqFq .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-DpgmO48ZgYGfrqFq :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 加固安全
修复兼容性
是
否
开始自定义
目标是什么?
分析默认禁止列表,额外加入高风险调用
应用报错,追踪缺少的系统调用
在配置中添加白名单规则
测试是否影响业务功能
测试通过?
部署
调整配置,重新测试
五、Seccomp 与 Java 应用的关系
Java 应用运行在 JVM 之上,JVM 本身会发起大量系统调用(内存映射、线程创建、文件 I/O 等)。Docker 默认 Seccomp 配置通常对 Java 是兼容的,但在以下场景可能需要关注:
- 自定义 JVM 参数 :如开启
-XX:+UseTransparentHugePages可能需要特定调用。 - JNI 本地库:若应用调用了本地代码,可能使用非标准系统调用,需在配置中放行。
- 性能监控工具 :如
perf、strace在容器内使用,需要放行perf_event_open等调用。 - 极致安全场景 :可禁止与业务无关的调用,如
ptrace(防调试)、personality等。
最佳实践 :使用默认配置运行 Java 微服务,若因特殊需求需要调整,先通过 strace -c 统计运行中的系统调用,再制定最小化自定义配置。
六、Seccomp 与其他安全机制的配合
Seccomp 是纵深防御的一环,应与其他安全措施协同:
| 安全机制 | 作用层 | 与 Seccomp 互补 |
|---|---|---|
| Capabilities | 限制 root 进程的特权 | Seccomp 过滤调用,Capabilities 限制操作能力 |
| AppArmor / SELinux | 强制访问控制,控制文件/网络资源 | 更细粒度的资源控制 |
| 非 root 用户运行 | 降低进程权限 | 防止提权后滥用未过滤的调用 |
| 只读根文件系统 | 防止文件篡改 | 结合 Seccomp 阻止 mount 等调用 |
七、思维导图总结
#mermaid-svg-FvXDyODVZJ9izLsf{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-FvXDyODVZJ9izLsf .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-FvXDyODVZJ9izLsf .error-icon{fill:#552222;}#mermaid-svg-FvXDyODVZJ9izLsf .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-FvXDyODVZJ9izLsf .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-FvXDyODVZJ9izLsf .marker{fill:#333333;stroke:#333333;}#mermaid-svg-FvXDyODVZJ9izLsf .marker.cross{stroke:#333333;}#mermaid-svg-FvXDyODVZJ9izLsf svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-FvXDyODVZJ9izLsf p{margin:0;}#mermaid-svg-FvXDyODVZJ9izLsf .edge{stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .section--1 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section--1 path,#mermaid-svg-FvXDyODVZJ9izLsf .section--1 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section--1 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section--1 path{fill:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section--1 text{fill:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon--1{font-size:40px;color:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge--1{stroke:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth--1{stroke-width:17;}#mermaid-svg-FvXDyODVZJ9izLsf .section--1 line{stroke:hsl(60, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-0 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-0 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-0 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-0 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-0 path{fill:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-0 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-0{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-0{stroke:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-0{stroke-width:14;}#mermaid-svg-FvXDyODVZJ9izLsf .section-0 line{stroke:hsl(240, 100%, 83.5294117647%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-1 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-1 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-1 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-1 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-1 path{fill:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-1 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-1{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-1{stroke:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-1{stroke-width:11;}#mermaid-svg-FvXDyODVZJ9izLsf .section-1 line{stroke:hsl(260, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-2 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-2 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-2 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-2 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-2 path{fill:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-2 text{fill:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-2{font-size:40px;color:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-2{stroke:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-2{stroke-width:8;}#mermaid-svg-FvXDyODVZJ9izLsf .section-2 line{stroke:hsl(90, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-3 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-3 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-3 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-3 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-3 path{fill:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-3 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-3{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-3{stroke:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-3{stroke-width:5;}#mermaid-svg-FvXDyODVZJ9izLsf .section-3 line{stroke:hsl(120, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-4 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-4 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-4 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-4 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-4 path{fill:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-4 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-4{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-4{stroke:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-4{stroke-width:2;}#mermaid-svg-FvXDyODVZJ9izLsf .section-4 line{stroke:hsl(150, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-5 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-5 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-5 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-5 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-5 path{fill:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-5 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-5{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-5{stroke:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-5{stroke-width:-1;}#mermaid-svg-FvXDyODVZJ9izLsf .section-5 line{stroke:hsl(180, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-6 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-6 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-6 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-6 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-6 path{fill:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-6 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-6{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-6{stroke:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-6{stroke-width:-4;}#mermaid-svg-FvXDyODVZJ9izLsf .section-6 line{stroke:hsl(210, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-7 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-7 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-7 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-7 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-7 path{fill:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-7 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-7{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-7{stroke:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-7{stroke-width:-7;}#mermaid-svg-FvXDyODVZJ9izLsf .section-7 line{stroke:hsl(270, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-8 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-8 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-8 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-8 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-8 path{fill:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-8 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-8{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-8{stroke:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-8{stroke-width:-10;}#mermaid-svg-FvXDyODVZJ9izLsf .section-8 line{stroke:hsl(330, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-9 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-9 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-9 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-9 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-9 path{fill:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-9 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-9{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-9{stroke:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-9{stroke-width:-13;}#mermaid-svg-FvXDyODVZJ9izLsf .section-9 line{stroke:hsl(0, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-10 rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-10 path,#mermaid-svg-FvXDyODVZJ9izLsf .section-10 circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-10 polygon,#mermaid-svg-FvXDyODVZJ9izLsf .section-10 path{fill:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-10 text{fill:black;}#mermaid-svg-FvXDyODVZJ9izLsf .node-icon-10{font-size:40px;color:black;}#mermaid-svg-FvXDyODVZJ9izLsf .section-edge-10{stroke:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .edge-depth-10{stroke-width:-16;}#mermaid-svg-FvXDyODVZJ9izLsf .section-10 line{stroke:hsl(30, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled,#mermaid-svg-FvXDyODVZJ9izLsf .disabled circle,#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:lightgray;}#mermaid-svg-FvXDyODVZJ9izLsf .disabled text{fill:#efefef;}#mermaid-svg-FvXDyODVZJ9izLsf .section-root rect,#mermaid-svg-FvXDyODVZJ9izLsf .section-root path,#mermaid-svg-FvXDyODVZJ9izLsf .section-root circle,#mermaid-svg-FvXDyODVZJ9izLsf .section-root polygon{fill:hsl(240, 100%, 46.2745098039%);}#mermaid-svg-FvXDyODVZJ9izLsf .section-root text{fill:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .section-root span{color:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .section-2 span{color:#ffffff;}#mermaid-svg-FvXDyODVZJ9izLsf .icon-container{height:100%;display:flex;justify-content:center;align-items:center;}#mermaid-svg-FvXDyODVZJ9izLsf .edge{fill:none;}#mermaid-svg-FvXDyODVZJ9izLsf .mindmap-node-label{dy:1em;alignment-baseline:middle;text-anchor:middle;dominant-baseline:middle;text-align:center;}#mermaid-svg-FvXDyODVZJ9izLsf :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 容器 Seccomp 配置
概念
Linux 内核系统调用过滤
Docker 默认启用
工作流程
容器启动时加载 Profile
内核检查系统调用
违规调用按规则处理
默认配置
白名单拒绝模式
禁止 40+ 危险调用
返回 EPERM 错误
自定义
获取默认模板
修改 defaultAction 和规则
strace 测试
部署与版本控制
Java 应用
通常兼容默认配置
注意 JVM 特殊调用
JNI 需额外考虑
协同安全
Capabilities
AppArmor / SELinux
非 root 用户
掌握 Seccomp 原理及自定义方法,能够体现面试者从内核层面理解容器安全的能力,以及在 Java 应用部署中实施精细化安全加固的实践思维。