You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linux kernel 5.13 adds support for Landlock Linux Security Module (LSM).
This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.
opencontainers#1110
Signed-off-by: Kailun Qin <[email protected]>
Copy file name to clipboardExpand all lines: config.md
+68-1Lines changed: 68 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -211,7 +211,14 @@ For Linux-based systems, the `process` object supports the following process-spe
211
211
This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#memory) is scoped for a memory cgroup.
212
212
For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
213
213
***`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
214
-
For more information about SELinux, see [SELinux documentation][selinux].
214
+
For more information about SELinux, see [SELinux documentation][selinux].
215
+
***`landlock`** (object, OPTIONAL) specifies the Landlock unprivileged access control settings for the container process.
216
+
For more information about Landlock, see [Landlock documentation][landlock].
217
+
`landlock` contains the following properties:
218
+
219
+
***`ruleset`** (object, OPTIONAL) the `ruleset` field identifies a set of rules (i.e., actions on objects) that need to be handled (i.e., restricted).
220
+
***`rules`** (array of objects, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset
221
+
***`abi`** (object, OPTIONAL) the `abi` field defines the specific Landlock ABI version.
215
222
216
223
### <aname="configUser" />User
217
224
@@ -253,6 +260,65 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
0 commit comments