api-extension: add missing seccomp_proxy_send_notify_fd extension

[mirror_lxc.git] / doc / api-extensions.md

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index e8b5eb08906ab50c206bd8c2453e9df9739fd1b5..40270fa7bc3493d867856aafe20911e5a154cc25 100644 (file)
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -122,3 +122,25 @@ When running on kernels that support pidfds LXC will rely on them for most opera
 ## cgroup\_advanced\_isolation
 
 Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
+
+## time\_namespace
+
+This adds time namespace support to LXC.
+
+## seccomp\_allow\_deny\_syntax
+
+This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
+
+## devpts\_fd
+
+This adds the ability to allocate a file descriptor for the devpts instance of
+the container.
+
+## seccomp\_notify\_fd\_active
+
+Retrieve the seccomp notifier fd from a running container.
+
+## seccomp\_proxy\_send\_notify\_fd
+
+Whether the seccomp notify proxy sends a long a notify fd file descriptor.