From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Fri, 16 Sep 2016 06:56:45 +0000 (+0900)
Subject: doc: Add lxc.no_new_privs to Japanese lxc.container.conf(5)
X-Git-Tag: lxc-2.1.0~324^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1192%2Fhead;p=thirdparty%2Flxc.git

doc: Add lxc.no_new_privs to Japanese lxc.container.conf(5)

Update for commit 222ddc

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---

diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 1aadcc342..6031797b1 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -1845,6 +1845,42 @@ mknod errno 0
       </variablelist>
     </refsect2>
 
+    <refsect2>
+      <title>PR_SET_NO_NEW_PRIVS</title>
+      <para>
+        <!--
+              With PR_SET_NO_NEW_PRIVS active execve() promises not to grant
+              privileges to do anything that could not have been done without
+              the execve() call (for example, rendering the set-user-ID and
+              set-group-ID mode bits, and file capabilities non-functional).
+              Once set, this bit cannot be unset. The setting of this bit is
+              inherited by children created by fork() and clone(), and preserved
+              across execve().
+              Note that PR_SET_NO_NEW_PRIVS is applied after the container has
+              changed into its intended AppArmor profile or SElinux context.
+          -->
+        PR_SET_NO_NEW_PRIVS ãä»ä¸ããã¨ãå¯¾è±¡ã® execve() ã¯ãexecve() ã®å¼ã³åºããªãã§ã¯å®è¡ã§ããªãã£ããã¨ã«å¯¾ããç¹æ¨©ãè¨±å¯ããªããªãã¾ã (ä¾ãã°ãset-user-IDãset-group-ID è¨±å¯ããããããã¡ã¤ã«ã±ã¼ãããªãã£ãåä½ããªããªãã¾ã)ã
+        ä¸åº¦è¨­å®ãããã¨ããã®ãããã¯è§£é¤ã§ãã¾ããããã®ãããã®è¨­å®ã¯ fork() ã clone() ã§çæãããå­ãã­ã»ã¹ã«ãç¶æ¿ãããexecve() ã®åå¾ã§ä¿æããã¾ãã
+        PR_SET_NO_NEW_PRIVS ã¯ãã³ã³ããã«é©ç¨ãããã¨ãã AppArmor ãã­ãã¡ã¤ã«ãããã¯ SELinux ã³ã³ãã­ã¹ãã¸ã®å¤æ´ããªããããã¨ã«é©ç¨ããã¾ãã
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.no_new_privs</option>
+          </term>
+          <listitem>
+            <para>
+	      <!--
+              Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the
+              container. Set to 1 to activate.
+		-->
+	      ã³ã³ããã«å¯¾ãã¦ PR_SET_NO_NEW_PRIVS ããããè¨­å®ãããã©ãããæå®ãã¾ãã1 ã«è¨­å®ããã¨æå¹ã«ãªãã¾ãã
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+
     <refsect2>
       <title><!-- UID mappings -->UID ã®ãããã³ã°</title>
       <para>
