SecComp defines which system calls should and should not be allowed to be executed by a container. They're defined in a JSON file that is applied when a container starts. In this initial step we've defined seccomp permissions to disable allowing containers to run seccomp.
Applying Restrictions to Containers
Launch a container and try to run chmod.
docker run --rm -it \
--security-opt seccomp:1_chmod.json \
chmod 400 /etc/hostname
Because our container attempted to execute chmod, the call failed with Operation not permitted. This is because our seccomp profile blocked it.
We can extend our seccomp profile to list all the calls we want to allow or disallow. This allows us to block potential attack vectors or close vulnerabilities without changing our application.