opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-02 00:30:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25887 from fice-t/no-new-priv

Browse Source 
docs: Expand description of no-new-privileges
This commit is contained in:
openshift-merge-bot[bot]
2025-04-16 20:08:41 +00:00
committed by GitHub
parent ae63e2c932 b615011b44
commit 1143162e69
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/markdown/options/security-opt.md
View File

@ -22,7 +22,7 @@ Note: Labeling can be disabled for all <<|pods/>>containers by setting label=fal
- **mask**=_/path/1:/path/2_: The paths to mask separated by a colon. A masked path cannot be accessed inside the container<<s within the pod|>>.
- **no-new-privileges**: Disable container processes from gaining additional privileges.
- **no-new-privileges**: Disable container processes from gaining additional privileges through the `execve(2)` system call (e.g. via setuid or setgid bits, or via file capabilities). Programs that rely on setuid/setgid bits set on their executable to change user id or group id are no longer able to do so, and any file capabilities added to the executable (e.g. via `setcap`) are not added to the permitted capability set. For more details, see: https://docs.kernel.org/userspace-api/no_new_privs.html.
- **seccomp=unconfined**: Turn off seccomp confinement for the <<container|pod>>.
- **seccomp=profile.json**: JSON file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`.