Skip to content

Commit 7d06097

Browse files
klihubklihub
committed
docs: update README.md with Linux namespace adjustment.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
1 parent 6347e7e commit 7d06097

File tree

1 file changed

+11
-7
lines changed

1 file changed

+11
-7
lines changed

README.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,7 @@ container parameters:
254254
- Block I/O class
255255
- RDT class
256256
- Linux seccomp policy
257+
- Linux namespaces
257258

258259
### Container Updates
259260

@@ -349,11 +350,14 @@ for rejecting adjustment of the seccomp policy profile based on the type of poli
349350
profile set for the container. These types include the runtime default seccomp
350351
policy profile, a custom policy profile, and unconfined security profiles.
351352

352-
3. Verify global mandatory plugins: Verify that all configured mandatory
353+
3. Reject Linux Namespace adjustment: Reject any adjustment which tries to
354+
alter Linux namespaces of a container.
355+
356+
4. Verify global mandatory plugins: Verify that all configured mandatory
353357
plugins are present and have processed a container. Otherwise reject the
354358
creation of the container.
355359

356-
4. Verify annotated mandatory plugins: Verify that an annotated set of
360+
5. Verify annotated mandatory plugins: Verify that an annotated set of
357361
container-specific mandatory plugins are present and have processed a
358362
container. Otherwise reject the creation of the container.
359363

@@ -362,11 +366,11 @@ allows one to deploy mandatory plugins as containers themselves.
362366

363367
#### Default Validation Scope
364368

365-
Currently only OCI hook injection and Linux seccomp policy can be restricted
366-
using the default validator. However, this probably will change in the future.
367-
Especially when NRI is extended with control over more container parameters.
368-
If newly added controls will have security implications, expect corresponding
369-
configurable restrictions in the default validator.
369+
Currently only OCI hook injection, Linux seccomp policy and Linux namespace
370+
adjustment can be restricted using the default validator. However, this probably
371+
will change in the future. Especially when NRI is extended with control over more
372+
container parameters. If newly added controls will have security implications,
373+
expect corresponding configurable restrictions in the default validator.
370374

371375
## Runtime Adaptation
372376

0 commit comments

Comments
 (0)