2026-04-07 15:44:49 +02:00
4 changed files with 6 additions and 11 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -5,5 +5,5 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "weekly"
+      interval: "daily"
    open-pull-requests-limit: 2
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -5,8 +5,6 @@
 name: "CodeQL"
 on:
  pull_request:
    branches: [main]
  # It takes the workflow approximately 30 minutes to analyze the code base
  # so it doesn't seem to make much sense to trigger it on every PR or commit.
  # It runs daily at 01:00 to avoid colliding with the Coverity workflow.
@ -20,7 +18,6 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    if: github.event_name == 'schedule' || github.event.pull_request.user.login == 'dependabot[bot]'
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -29,7 +29,7 @@ jobs:
          fetch-depth: 0
      - name: Lint Code Base
-        uses: github/super-linter@563be7dc5568017515b9e700329e9c6d3862f2b7
+        uses: github/super-linter@7d5dc989c55aaba9d3b7194a7496cdfaa4866af3
        env:
          DEFAULT_BRANCH: main
          # Excludes:
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@ -22,12 +22,10 @@ manager, please consider supporting the following interfaces.
   (that file overrides whatever is pre-initialized by the container manager).
 2. Make sure to pre-mount `/proc/`, `/sys/`, and `/sys/fs/selinux/` before
-   invoking systemd, and mount `/sys/`, `/sys/fs/selinux/` and `/proc/sys/`
+   invoking systemd, and mount `/proc/sys/`, `/sys/`, and `/sys/fs/selinux/`
-   read-only (the latter via e.g. a read-only bind mount on itself) in order
+   read-only in order to prevent the container from altering the host kernel's
-   to prevent the container from altering the host kernel's configuration
+   configuration settings. (As a special exception, if your container has
-   settings. (As a special exception, if your container has network namespaces
+   network namespaces enabled, feel free to make `/proc/sys/net/` writable).
   enabled, feel free to make `/proc/sys/net/` writable. If it also has user, ipc,
   uts and pid namespaces enabled, the entire `/proc/sys` can be left writable).
   systemd and various other subsystems (such as the SELinux userspace) have
   been modified to behave accordingly when these file systems are read-only.
   (It's OK to mount `/sys/` as `tmpfs` btw, and only mount a subset of its