summaryrefslogtreecommitdiff
path: root/docs/source/markdown
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2020-01-07 16:48:07 +0100
committerValentin Rothberg <rothberg@redhat.com>2020-01-09 17:57:58 +0100
commitf3f4c54f2abc341cee1e7b83e9538d91a3c627e3 (patch)
tree9c7174550c1071cd1b5ba98484f32e6169cee1ed /docs/source/markdown
parent7ccf412f7068acac16aa5aecf059df19c239f7cc (diff)
downloadpodman-f3f4c54f2abc341cee1e7b83e9538d91a3c627e3.tar.gz
podman-f3f4c54f2abc341cee1e7b83e9538d91a3c627e3.tar.bz2
podman-f3f4c54f2abc341cee1e7b83e9538d91a3c627e3.zip
policy for seccomp-profile selection
Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'docs/source/markdown')
-rw-r--r--docs/source/markdown/podman-create.1.md6
-rw-r--r--docs/source/markdown/podman-run.1.md6
2 files changed, 12 insertions, 0 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 85aa81553..814805e19 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -663,6 +663,12 @@ If specified, the first argument refers to an exploded container on the file sys
This is useful to run a container without requiring any image management, the rootfs
of the container is assumed to be managed externally.
+**--seccomp-policy**=*policy*
+
+Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
+
+Note that this feature is experimental and may change in the future.
+
**--security-opt**=*option*
Security Options
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index e8744de35..ceb97dbb7 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -685,6 +685,12 @@ of the container is assumed to be managed externally.
Note: On `SELinux` systems, the rootfs needs the correct label, which is by default
`unconfined_u:object_r:container_file_t`.
+**--seccomp-policy**=*policy*
+
+Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" annotation in the container image and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below.
+
+Note that this feature is experimental and may change in the future.
+
**--security-opt**=*option*
Security Options