Looks like there's issues with sourceforge project
pages. Given that sourceforge isn't really what
it used to be, trying to find alternative URLs
where possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 0e7a1079be5e87aae2abcda7c27a2b0e67270a50
Component: engine
the instructions by providing a single compose file that runs the notary server, registry,
and a docker-in-docker trust sandbox.
Signed-off-by: cyli <cyli@twistedmatrix.com>
Upstream-commit: ba115b0a91970f434e41e9f72caccc01493a9729
Component: engine
the 'modify_ldt' was listed as "blocked by default",
but was whitelisted in 13a9d4e8993997b2bf9be7e96a8d7978a73d0b9b
this updates the documentation to reflect this
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 2cddd1cd1f3135f36f6afcc84ddfda904aeee3b5
Component: engine
This pull request fixes several typos in the documentation.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 3c6aa163a3fd04c344a2072ab379f0778734b269
Component: engine
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: cb9aeb0413ca75bb3af7fa723a1f2e6b2bdbcb0e
Component: engine
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.
The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration
The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 96896f2d0bc16269778dd4f60a4920b49953ffed
Component: engine
Fixes#20818
This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 5abd881883883a132f96f8adb1b07b5545af452b
Component: engine
Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.
Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
Upstream-commit: 244e5fc51653b47a974ad111022ea923ddebaf05
Component: engine
Just some suggested wording to update this page to take account of User Namespaces being available as of 1.10.
Signed-off-by: Rory McCune <rorym@mccune.org.uk>
Upstream-commit: c1e53ad1aa9d82568efc045444a5df76b1471905
Component: engine
Seccomp is only *compiled* in binaries built for
distros that ship with seccomp 2.2.1 or higher,
and in the static binaries.
The static binaries are not really useful for
RHEL and CentOS, because devicemapper does
not work properly with the static binaries,
so static binaries is only an option for Ubuntu
and Debian.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 13839a6d328692c672394811ee3afd9a168fc328
Component: engine
