--- /dev/null
+2
+blacklist
+# v2 allows comments after the second line, with '#' in first column,
+# blacklist will allow syscalls by default
+# if 'errno 0' was not appended to 'mknod' below, then the task would
+# simply be killed when it tried to mknod. 'errno 0' means do not allow
+# the container to mknod, but immediately return 0.
+mknod errno 0
--- /dev/null
+2
+whitelist trap
+# 'whitelist' would normally mean kill a task doing any syscall which is not
+# whitelisted below. By appending 'trap' to the line, we will cause a SIGSYS
+# to be sent to the task instead. 'errno 0' would mean don't allow the system
+# call but immediately return 0. 'errno 22' would mean return EINVAL immediately.
+[x86_64]
+open
+close
+read
+write
+mount
+umount2
+# Since we are listing system calls by name, we can also ask to have them resolved
+# for another arch, i.e. for 32/64-bit versions.
+[x86]
+open
+close
+read
+write
+mount
+umount2
+# Do note that this policy does not whitelist enough system calls to allow a
+# system container to boot.
<para>
A container can be started with a reduced set of available
system calls by loading a seccomp profile at startup. The
- seccomp configuration file should begin with a version number
- (which currently must be 1) on the first line, a policy type
- (which must be 'whitelist') on the second line, followed by a
- list of allowed system call numbers, one per line.
+ seccomp configuration file must begin with a version number
+ on the first line, a policy type on the second line, followed
+ by the configuration.
</para>
+ <para>
+ Versions 1 and 2 are currently supported. In version 1, the
+ policy is a simple whitelist. The second line therefore must
+ read "whitelist", with the rest of the file containing one (numeric)
+ sycall number per line. Each syscall number is whitelisted,
+ while every unlisted number is blacklisted for use in teh container
+ </para>
+
+ <para>
+ In version 2, the policy may be blacklist or whitelist,
+ supports per-rule and per-policy default actions, and supports
+ per-architecture system call resolution from textual names.
+ </para>
+ <para>
+ An example blacklist policy, in which all system calls are
+ allowed except for mknod, which will simply do nothing and
+ return 0 (success), looks like:
+ </para>
+<screen>
+2
+blacklist
+mknod errno 0
+</screen>
<variablelist>
<varlistentry>
<term>