update intro to say there are four things to consider
(cherry picked from commit ce2ca236db)
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
(cherry picked from commit 7cee444f8b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Looks like there's issues with sourceforge project
pages. Given that sourceforge isn't really what
it used to be, trying to find alternative URLs
where possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0e7a1079be)
Signed-off-by: Tibor Vass <tibor@docker.com>
the instructions by providing a single compose file that runs the notary server, registry,
and a docker-in-docker trust sandbox.
Signed-off-by: cyli <cyli@twistedmatrix.com>
the 'modify_ldt' was listed as "blocked by default",
but was whitelisted in 13a9d4e899
this updates the documentation to reflect this
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.
The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration
The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Fixes#20818
This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.
Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
Just some suggested wording to update this page to take account of User Namespaces being available as of 1.10.
Signed-off-by: Rory McCune <rorym@mccune.org.uk>
Seccomp is only *compiled* in binaries built for
distros that ship with seccomp 2.2.1 or higher,
and in the static binaries.
The static binaries are not really useful for
RHEL and CentOS, because devicemapper does
not work properly with the static binaries,
so static binaries is only an option for Ubuntu
and Debian.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixing the links
Updating with Seb's comments
Adding weight
Fixing the engine aliases
Updating after Arun pushed
Removing empty file
Signed-off-by: Mary Anthony <mary@docker.com>
Signed-off-by: Mary Anthony <mary@docker.com>
Updaing and slight re-arrangement of security information
Signed-off-by: Mary Anthony <mary@docker.com>
Updating security files
Signed-off-by: Mary Anthony <mary@docker.com>
Updating links to the security documentation
Signed-off-by: Mary Anthony <mary@docker.com>
removing some extra spaces
Signed-off-by: Mary Anthony <mary@docker.com>
Correcting spelling
Signed-off-by: Mary Anthony <mary@docker.com>
