opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-10 09:47:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/docs/source/markdown/options/security-opt.md
Ed Santiago f95ff4f460 Man pages: refactor common options: --security-opt 
This was a horrible one. I basically went with the podman-run
version, with a few minor changes. See PR for discussion of
diff review.

podman-build is not included here, it is too different.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-11-02 13:44:36 -06:00

2.4 KiB
Raw Blame History

####> This option file is used in: ####> podman create, pod clone, pod create, run ####> If you edit this file, make sure your changes ####> are applicable to all of those.

--security-opt=option

Security Options

  • apparmor=unconfined : Turn off apparmor confinement for the <<container|pod>>

  • apparmor=your-profile : Set the apparmor confinement profile for the <<container|pod>>

  • label=user:USER: Set the label user for the <<container|pod>> processes

  • label=role:ROLE: Set the label role for the <<container|pod>> processes

  • label=type:TYPE: Set the label process type for the <<container|pod>> processes

  • label=level:LEVEL: Set the label level for the <<container|pod>> processes

  • label=filetype:TYPE: Set the label file type for the <<container|pod>> files

  • label=disable: Turn off label separation for the <<container|pod>>

Note: Labeling can be disabled for all <<|pods/>>containers by setting label=false in the containers.conf (/etc/containers/containers.conf or $HOME/.config/containers/containers.conf) file.

  • mask=/path/1:/path/2: The paths to mask separated by a colon. A masked path cannot be accessed inside the container<<s within the pod|>>.

  • no-new-privileges: Disable container processes from gaining additional privileges.

  • seccomp=unconfined: Turn off seccomp confinement for the <<container|pod>>.

  • seccomp=profile.json: JSON file to be used as a seccomp filter. Note that the io.podman.annotations.seccomp annotation is set with the specified value as shown in podman inspect.

  • proc-opts=OPTIONS : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the proc(5) man page.

  • unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to ALL, it will unmask all the paths that are masked or made read-only by default. The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux. The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.

Note: Labeling can be disabled for all containers by setting label=false in the containers.conf(5) file.