Docker seccomp适用于alpine / busybox，但不适用于ubuntu

从docker-lab起，您似乎还缺少两个属性，无法使其在Linux上正常工作

default-no-chmod.json配置文件是对default.json配置文件的修改，从其白名单中删除了chmod()，fchmod()和chmodat()系统调用。

security-seccomp

{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
],
"syscalls": [
    {
        "name": "chmod",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    },
      {
        "name": "fchmod",
        "action": "SCMP_ACT_ERRNO",
        "args": [

        ]
      },
      {
        "name": "fchmodat",
        "action": "SCMP_ACT_ERRNO",
        "args": [

        ]
      },
    {
        "name": "chown",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    },
    {
        "name": "chown32",
        "action": "SCMP_ACT_ERRNO",
        "args": []
    }] 
}

现在，如果您从ubuntu尝试，您将获得预期的结果

docker run -it --security-opt seccomp=profile.json ubuntu:18.04 /bin/sh -c " chmod +x /etc/hosts"

chmod: changing permissions of '/etc/hosts': Operation not permitted

同样，busybox的结果相同

docker run -it --security-opt seccomp=profile.json busybox /bin/sh -c " chmod +x /etc/host"
chmod: /etc/host: No such file or directory