diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2019-08-09 16:29:43 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-08-13 10:16:01 -0400 |
| commit | 316e51f0a91d24f75a9191e2226928bc0c1c5b91 (patch) | |
| tree | 7ab971c3fe4a1eedb291f89e9777dfb77ca90afe /docs | |
| parent | c48243ee1eb3fe36b54057994d5e908d8a3d7f16 (diff) | |
| download | podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.gz podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.tar.bz2 podman-316e51f0a91d24f75a9191e2226928bc0c1c5b91.zip | |
Add support & documentation to run containers with different file types
Udica is adding new features to allow users to define container process
and file types. This would allow us to setup trusted communications channels
between multiple security domains. ContainerA -> ContainerB -> ContainerC
Add tests to make sure users can change file types
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/podman-build.1.md | 24 | ||||
| -rw-r--r-- | docs/podman-create.1.md | 21 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 11 |
3 files changed, 29 insertions, 27 deletions
diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index 878b31080..8deb8811e 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -375,18 +375,18 @@ to podman build, the option given would be `--runtime-flag log-format=json`. Security Options - "label=user:USER" : Set the label user for the container - "label=role:ROLE" : Set the label role for the container - "label=type:TYPE" : Set the label type for the container - "label=level:LEVEL" : Set the label level for the container - "label=disable" : Turn off label confinement for the container - "no-new-privileges" : Not supported - - "seccomp=unconfined" : Turn off seccomp confinement for the container - "seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter - - "apparmor=unconfined" : Turn off apparmor confinement for the container - "apparmor=your-profile" : Set the apparmor confinement profile for the container +- `apparmor=unconfined` : Turn off apparmor confinement for the container +- `apparmor=your-profile` : Set the apparmor confinement profile for the container + +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container + +- `seccomp=unconfined` : Turn off seccomp confinement for the container +- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter **--shm-size**=*size* diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 50fca3541..29ae2e1b7 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -631,19 +631,20 @@ of the container is assumed to be managed externally. Security Options -"apparmor=unconfined" : Turn off apparmor confinement for the container -"apparmor=your-profile" : Set the apparmor confinement profile for the container +- `apparmor=unconfined` : Turn off apparmor confinement for the container +- `apparmor=your-profile` : Set the apparmor confinement profile for the container -"label=user:USER" : Set the label user for the container -"label=role:ROLE" : Set the label role for the container -"label=type:TYPE" : Set the label type for the container -"label=level:LEVEL" : Set the label level for the container -"label=disable" : Turn off label confinement for the container +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container -"no-new-privileges" : Disable container processes from gaining additional privileges +- `no-new-privileges` : Disable container processes from gaining additional privileges -"seccomp=unconfined" : Turn off seccomp confinement for the container -"seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter +- `seccomp=unconfined` : Turn off seccomp confinement for the container +- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter Note: Labeling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index e7c898b25..8a211e284 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -656,11 +656,12 @@ Security Options - `apparmor=unconfined` : Turn off apparmor confinement for the container - `apparmor=your-profile` : Set the apparmor confinement profile for the container -- `label=user:USER` : Set the label user for the container -- `label=role:ROLE` : Set the label role for the container -- `label=type:TYPE` : Set the label type for the container -- `label=level:LEVEL` : Set the label level for the container -- `label=disable` : Turn off label confinement for the container +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container - `no-new-privileges` : Disable container processes from gaining additional privileges |