From 218740abc725e7f95d4a141a20c6a0f4fff21cd9 Mon Sep 17 00:00:00 2001 From: Daniel Zhang Date: Mon, 9 Jan 2017 09:22:05 +0800 Subject: [PATCH] Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang --- docs/reference/commandline/dockerd.md | 2 ++ docs/reference/run.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md index 1ebdc3b666..84f4d998ed 100644 --- a/docs/reference/commandline/dockerd.md +++ b/docs/reference/commandline/dockerd.md @@ -70,6 +70,7 @@ Options: --max-concurrent-uploads int Set the max concurrent uploads for each push (default 5) --metrics-addr string Set address and port to serve the metrics api (default "") --mtu int Set the containers network MTU + --no-new-privileges Disable container processes from gaining new privileges --oom-score-adjust int Set the oom_score_adj for the daemon (default -500) -p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid") --raw-logs Full timestamps without ANSI coloring @@ -1190,6 +1191,7 @@ This is a full example of the allowed configuration options on Linux: "seccomp-profile": "", "insecure-registries": [], "disable-legacy-registry": false, + "no-new-privileges": false, "default-runtime": "runc", "oom-score-adjust": -500, "runtimes": { diff --git a/docs/reference/run.md b/docs/reference/run.md index d26c625004..62275e02ac 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -630,7 +630,7 @@ with the same logic -- if the original volume was specified with a name it will --security-opt="label=level:LEVEL" : Set the label level for the container --security-opt="label=disable" : Turn off label confinement for the container --security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied to the container - --security-opt="no-new-privileges" : Disable container processes from gaining new privileges + --security-opt="no-new-privileges:true|false" : Disable/enable container processes from gaining new privileges --security-opt="seccomp=unconfined" : Turn off seccomp confinement for the container --security-opt="seccomp=profile.json": White listed syscalls seccomp Json file to be used as a seccomp filter