Browse code
Fix documentation on --security-opt seccomp
Missing documentation and man pages on seccomp options.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Dan Walsh authored on 2016/03/17 21:03:50Showing 3 changed files
| ... | ... |
@@ -608,6 +608,9 @@ with the same logic -- if the original volume was specified with a name it will |
| 608 | 608 |
to the container |
| 609 | 609 |
--security-opt="no-new-privileges" : Disable container processes from gaining |
| 610 | 610 |
new privileges |
| 611 |
+ --security-opt="seccomp:unconfined": Turn off seccomp confinement for the container |
|
| 612 |
+ --security-opt="seccomp:profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter |
|
| 613 |
+ |
|
| 611 | 614 |
|
| 612 | 615 |
You can override the default labeling scheme for each container by specifying |
| 613 | 616 |
the `--security-opt` flag. For example, you can specify the MCS/MLS level, a |
| ... | ... |
@@ -316,6 +316,15 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. |
| 316 | 316 |
**--security-opt**=[] |
| 317 | 317 |
Security Options |
| 318 | 318 |
|
| 319 |
+ "label:user:USER" : Set the label user for the container |
|
| 320 |
+ "label:role:ROLE" : Set the label role for the container |
|
| 321 |
+ "label:type:TYPE" : Set the label type for the container |
|
| 322 |
+ "label:level:LEVEL" : Set the label level for the container |
|
| 323 |
+ "label:disable" : Turn off label confinement for the container |
|
| 324 |
+ "no-new-privileges" : Disable container processes from gaining additional privileges |
|
| 325 |
+ "seccomp:unconfined" : Turn off seccomp confinement for the container |
|
| 326 |
+ "seccomp:profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter |
|
| 327 |
+ |
|
| 319 | 328 |
**--stop-signal**=*SIGTERM* |
| 320 | 329 |
Signal to stop a container. Default is SIGTERM. |
| 321 | 330 |
|
| ... | ... |
@@ -468,8 +468,11 @@ its root filesystem mounted as read only prohibiting any writes. |
| 468 | 468 |
"label:type:TYPE" : Set the label type for the container |
| 469 | 469 |
"label:level:LEVEL" : Set the label level for the container |
| 470 | 470 |
"label:disable" : Turn off label confinement for the container |
| 471 |
+ |
|
| 471 | 472 |
"no-new-privileges" : Disable container processes from gaining additional privileges |
| 472 | 473 |
|
| 474 |
+ "seccomp:unconfined" : Turn off seccomp confinement for the container |
|
| 475 |
+ "seccomp:profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter |
|
| 473 | 476 |
|
| 474 | 477 |
**--stop-signal**=*SIGTERM* |
| 475 | 478 |
Signal to stop a container. Default is SIGTERM. |