dockerd --security-opt

 

--security-opt="label=user:USER"    Set the label user for the container
--security-opt="label=role:ROLE"    Set the label role for the container
--security-opt="label=type:TYPE"    Set the label type for the container
--security-opt="label=level:LEVEL"    Set the label level for the container
--security-opt="label=disable"    Turn off label confinement for the container
work with selinux
--security-opt="apparmor=PROFILE" Set the apparmor profile to be applied to the container
work with
apparmor
-----------------------------------------------------------------------------------------
--security-opt="no-new-privileges:true" Disable container processes from gaining new privileges

--security-opt="seccomp=unconfined" Turn off seccomp confinement for the container

--security-opt="seccomp=profile.json" White-listed syscalls seccomp Json file to be used as a seccomp filter

 

cap

--cap-add    Add Linux capabilities
--cap-drop    Drop Linux capabilities
--privileged    Give extended privileges to this container
--device=[]    Allows you to run devices inside the container without the --privileged flag.
SYS_MODULE    Load and unload kernel modules.
SYS_RAWIO    Perform I/O port operations (iopl(2) and ioperm(2)).
SYS_PACCT    Use acct(2), switch process accounting on or off.
SYS_ADMIN    Perform a range of system administration operations.
SYS_NICE    Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
SYS_RESOURCE    Override resource Limits.
SYS_TIME    Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.
SYS_TTY_CONFIG    Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.
AUDIT_CONTROL    Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
MAC_ADMIN    Allow MAC configuration or state changes. Implemented for the Smack LSM.
MAC_OVERRIDE    Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
NET_ADMIN    Perform various network-related operations.
SYSLOG    Perform privileged syslog(2) operations.
DAC_READ_SEARCH    Bypass file read permission checks and directory read and execute permission checks.
LINUX_IMMUTABLE    Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.
NET_BROADCAST    Make socket broadcasts, and listen to multicasts.
IPC_LOCK    Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
IPC_OWNER    Bypass permission checks for operations on System V IPC objects.
SYS_PTRACE    Trace arbitrary processes using ptrace(2).
SYS_BOOT    Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
LEASE    Establish leases on arbitrary files (see fcntl(2)).
WAKE_ALARM    Trigger something that will wake up the system.
BLOCK_SUSPEND    Employ features that can block system suspend.