From 9c8e2822cb95679106a26fd4eb92f8323148a619 Mon Sep 17 00:00:00 2001 From: Mark Stosberg Date: Fri, 10 Jan 2020 22:02:08 -0500 Subject: docs: --privileged docs completeness, consistency As discussed in https://github.com/containers/libpod/issues/4840 Signed-off-by: Mark Stosberg --- docs/source/markdown/podman-create.1.md | 4 +++- docs/source/markdown/podman-exec.1.md | 14 +++++++++++++- docs/source/markdown/podman-run.1.md | 19 ++++++++++--------- 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 2bbe4f70a..fdc2edf39 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -586,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be Give extended privileges to this container. The default is *false*. By default, Podman containers are -“unprivileged” (=false) and cannot, for example, modify parts of the kernel. +“unprivileged” (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. @@ -595,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. +Rootless containers cannot have more privileges than the account that launched them. + **--publish**, **-p**=*port* Publish a container's port, or range of ports, to the host diff --git a/docs/source/markdown/podman-exec.1.md b/docs/source/markdown/podman-exec.1.md index d46427c91..fc67211d1 100644 --- a/docs/source/markdown/podman-exec.1.md +++ b/docs/source/markdown/podman-exec.1.md @@ -43,7 +43,19 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2). **--privileged** -Give the process extended Linux capabilities when running the command in container. +Give extended privileges to this container. The default is *false*. + +By default, Podman containers are +"unprivileged" and cannot, for example, modify parts of the operating system. +This is because by default a container is only allowed limited access to devices. +A "privileged" container is given the same access to devices as the user launching the container. + +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read/only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. + **--tty**, **-t** diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 3f6effb75..d9fdd9650 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -599,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Give extended privileges to this container. The default is *false*. -By default, Podman containers are “unprivileged” (=false) and cannot, -for example, modify parts of the kernel. This is because by default a -container is not allowed to access any devices. A “privileged” container -is given access to all devices. - -When the operator executes **podman run --privileged**, Podman enables access -to all devices on the host, turns off graphdriver mount options, as well as -turning off most of the security measures protecting the host from the -container. +By default, Podman containers are “unprivileged” (=false) and cannot, for +example, modify parts of the operating system. This is because by default a +container is only allowed limited access to devices. A "privileged" container +is given the same access to devices as the user launching the container. + +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read/only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. **--publish**, **-p**=*port* -- cgit v1.2.3-54-g00ecf