From 3050d9af9b2384baed599be9d7142b4775f89e10 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 13 Jul 2016 14:41:58 +0100
Subject: [PATCH] Expand the documentation of "no-new-privileges"

The change to runc in https://github.com/opencontainers/runc/pull/789
was not documented previously. Also say what this affects and clean
up layout of initial table as there was some miscolouration of the
continuation lines.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 docs/reference/run.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/reference/run.md b/docs/reference/run.md
index ab5ed29f84..15d75a0155 100644
--- a/docs/reference/run.md
+++ b/docs/reference/run.md
@@ -630,10 +630,8 @@ with the same logic -- if the original volume was specified with a name it will
     --security-opt="label=type:TYPE"   : Set the label type for the container
     --security-opt="label=level:LEVEL" : Set the label level for the container
     --security-opt="label=disable"     : Turn off label confinement for the container
-    --security-opt="apparmor=PROFILE"  : Set the apparmor profile to be applied
-                                         to the container
-    --security-opt="no-new-privileges" : Disable container processes from gaining
-                                         new privileges
+    --security-opt="apparmor=PROFILE"  : Set the apparmor profile to be applied to the container
+    --security-opt="no-new-privileges" : Disable container processes from gaining new privileges
     --security-opt="seccomp=unconfined": Turn off seccomp confinement for the container
     --security-opt="seccomp=profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter
 
@@ -665,7 +663,10 @@ privileges, you can execute the following command:
 
     $ docker run --security-opt no-new-privileges -it centos bash
 
-For more details, see [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
+This means that commands that raise privileges such as `su` or `sudo` will no longer work.
+It also causes any seccomp filters to be applied later, after privileges have been dropped
+which may mean you can have a more restrictive set of filters.
+For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
 
 ## Specifying custom cgroups