dockerd --security-opt
--security-opt="label=user:USER" Set the label user for the container --security-opt="label=role:ROLE" Set the label role for the container --security-opt="label=type:TYPE" Set the label type for the container --security-opt="label=level:LEVEL" Set the label level for the container --security-opt="label=disable" Turn off label confinement for the container
work with selinux --security-opt="apparmor=PROFILE" Set the apparmor profile to be applied to the container
work with apparmor
-----------------------------------------------------------------------------------------
--security-opt="no-new-privileges:true" Disable container processes from gaining new privileges
--security-opt="seccomp=unconfined" Turn off seccomp confinement for the container
--security-opt="seccomp=profile.json" White-listed syscalls seccomp Json file to be used as a seccomp filter
cap
--cap-add Add Linux capabilities --cap-drop Drop Linux capabilities --privileged Give extended privileges to this container --device=[] Allows you to run devices inside the container without the --privileged flag.
SYS_MODULE Load and unload kernel modules. SYS_RAWIO Perform I/O port operations (iopl(2) and ioperm(2)). SYS_PACCT Use acct(2), switch process accounting on or off. SYS_ADMIN Perform a range of system administration operations. SYS_NICE Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. SYS_RESOURCE Override resource Limits. SYS_TIME Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. SYS_TTY_CONFIG Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. AUDIT_CONTROL Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. MAC_ADMIN Allow MAC configuration or state changes. Implemented for the Smack LSM. MAC_OVERRIDE Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). NET_ADMIN Perform various network-related operations. SYSLOG Perform privileged syslog(2) operations. DAC_READ_SEARCH Bypass file read permission checks and directory read and execute permission checks. LINUX_IMMUTABLE Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. NET_BROADCAST Make socket broadcasts, and listen to multicasts. IPC_LOCK Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). IPC_OWNER Bypass permission checks for operations on System V IPC objects. SYS_PTRACE Trace arbitrary processes using ptrace(2). SYS_BOOT Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. LEASE Establish leases on arbitrary files (see fcntl(2)). WAKE_ALARM Trigger something that will wake up the system. BLOCK_SUSPEND Employ features that can block system suspend.