1. 05 Sep, 2015 1 commit
    • Colin Walters's avatar
      Add --mount-devapi option · 4b9efbfb
      Colin Walters authored
      By default, we had supported `--mount-bind /dev /dev` to get
      access to devices.  But in many cases, build systems and the
      like will want to avoid exposing host physical devices.
      For example, if I'm building something locally, I don't want the
      makefile etc. to be able to access `/dev/dri`.
  2. 28 Aug, 2015 1 commit
    • Colin Walters's avatar
      Add seccomp and rules imported from xdg-app/Sandstorm.io · 8cee4ab7
      Colin Walters authored
      seccomp is disabled by default for backwards compatibility.
      This "v0" version is a basic blacklist that turns off some of the
      known historical attack surface, initially imported from xdg-app.
      I added a note about code sharing - we should share rules among
      container implementations.