mirror of https://github.com/docker/cli.git
Expand the documentation of "no-new-privileges"
The change to runc in https://github.com/opencontainers/runc/pull/789 was not documented previously. Also say what this affects and clean up layout of initial table as there was some miscolouration of the continuation lines. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
parent
1210363e0f
commit
8bc84934fb
|
@ -630,10 +630,8 @@ with the same logic -- if the original volume was specified with a name it will
|
||||||
--security-opt="label=type:TYPE" : Set the label type for the container
|
--security-opt="label=type:TYPE" : Set the label type for the container
|
||||||
--security-opt="label=level:LEVEL" : Set the label level for the container
|
--security-opt="label=level:LEVEL" : Set the label level for the container
|
||||||
--security-opt="label=disable" : Turn off label confinement for the container
|
--security-opt="label=disable" : Turn off label confinement for the container
|
||||||
--security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied
|
--security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied to the container
|
||||||
to the container
|
--security-opt="no-new-privileges" : Disable container processes from gaining new privileges
|
||||||
--security-opt="no-new-privileges" : Disable container processes from gaining
|
|
||||||
new privileges
|
|
||||||
--security-opt="seccomp=unconfined": Turn off seccomp confinement for the container
|
--security-opt="seccomp=unconfined": Turn off seccomp confinement for the container
|
||||||
--security-opt="seccomp=profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter
|
--security-opt="seccomp=profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter
|
||||||
|
|
||||||
|
@ -665,7 +663,10 @@ privileges, you can execute the following command:
|
||||||
|
|
||||||
$ docker run --security-opt no-new-privileges -it centos bash
|
$ docker run --security-opt no-new-privileges -it centos bash
|
||||||
|
|
||||||
For more details, see [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
|
This means that commands that raise privileges such as `su` or `sudo` will no longer work.
|
||||||
|
It also causes any seccomp filters to be applied later, after privileges have been dropped
|
||||||
|
which may mean you can have a more restrictive set of filters.
|
||||||
|
For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
|
||||||
|
|
||||||
## Specifying custom cgroups
|
## Specifying custom cgroups
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue