ECI doc improvements ... (#19976)

* Improve subtitle in ECI limitations page.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Move ECI faqs from security/faqs -> ECI section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Improve security FAQ and mention ECI.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix a couple of links in ECI FAQ.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix ECI FAQ in TOC.

* Add a dedicated container FAQ to teh security FAQs section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Apply suggestions from code review

---------

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>

content/desktop/hardened-desktop/enhanced-container-isolation/_index.md

@@ -59,7 +59,7 @@ For more information on how Enhanced Container Isolation work, see [How does it
 >
 > Enhanced Container Isolation does not yet fully protect Docker builds,
 > Kubernetes pods and Extension containers. For more information on known
-> limitations and workarounds, see [FAQs](../../../security/faqs/eci-faq.md).
+> limitations and workarounds, see [FAQs](faq.md).
 {.important }
 
 ### What host OSes / platforms is Enhanced Container Isolation supported on?
@@ -87,7 +87,7 @@ To enable Enhanced Container Isolation as a developer:
 
 > **Important**
 >
-> Enhanced Container Isolation does not protect containers created prior to enabling ECI. For more information on known limitations and workarounds, see [FAQs](../../../security/faqs/eci-faq.md).
+> Enhanced Container Isolation does not protect containers created prior to enabling ECI. For more information on known limitations and workarounds, see [FAQs](faq.md).
 { .important }
 
 #### As an admin

content/desktop/hardened-desktop/enhanced-container-isolation/faq.md

@@ -3,10 +3,6 @@ title: Enhanced Container Isolation (ECI) FAQs
 description: Frequently asked questions for Enhanced Container Isolation
 keywords: enhanced container isolation, security, faq, sysbox, Docker Desktop
 toc_max: 2
-tags: [FAQ]
-aliases:
-- /desktop/hardened-desktop/enhanced-container-isolation/faq/
-- /faq/security/eci-faq/
 ---
 
 ### Do I need to change the way I use Docker when ECI is switched on?
@@ -62,7 +58,7 @@ when using [Testcontainers](https://testcontainers.com/) for local testing.
 To enable such use cases, it's possible to configure ECI to allow Docker socket
 mounts into containers, but only for your chosen (i.e,. trusted) container images, and
 even restrict what commands the container can send to the Docker engine via the socket.
-See [ECI Docker socket mount permissions](../../desktop/hardened-desktop/enhanced-container-isolation/config.md#docker-socket-mount-permissions).
+See [ECI Docker socket mount permissions](config.md#docker-socket-mount-permissions).
 
 ### Does ECI protect all containers launched with Docker Desktop?
 
@@ -75,12 +71,12 @@ with Docker Desktop 4.30, it protects such containers, except for Docker Desktop
 on WSL 2 (Windows hosts).
 
 Note that ECI always protects containers used by `docker build`, when using the
-[docker-container build driver](../../build/drivers/_index.md), since Docker
+[docker-container build driver](../../../build/drivers/_index.md), since Docker
 Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac,
 and Linux).
 
 ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers,
-and [Dev Environments containers](../../desktop/dev-environments/_index.md).
+and [Dev Environments containers](../../../desktop/dev-environments/_index.md).
 
 ### Does ECI protect containers launched prior to enabling ECI?
 

content/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md

@@ -16,7 +16,7 @@ When [Enhanced Container Isolation is enabled](index.md#how-do-i-enable-enhanced
 created by users through `docker run` or `docker create` are automatically
 launched using Sysbox instead of the standard OCI runc runtime. Users need not
 do anything else and can continue to use containers as usual. For exceptions,
-see [FAQs](../../../security/faqs/eci-faq.md).
+see [FAQs](faq.md).
 
 Even containers that use the insecure `--privileged` flag can now be run
 securely with Enhanced Container Isolation, such that they can no longer be used

content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md

@@ -56,7 +56,7 @@ and it's an excellent way for users to run their favorite Linux distro on
 Windows hosts and access Docker from within (see Docker Desktop's WSL distro
 integration feature, enabled via the Dashboard's **Settings** > **Resources** > **WSL Integration**).
 
-### Docker Builds with the "Docker" driver are not protected by ECI
+### ECI protection for Docker Builds with the "Docker" driver
 
 Prior to Docker Desktop 4.30, `docker build` commands that use the buildx
 `docker` driver (the default) are not protected by ECI (i.e., the build runs

content/security/faqs/containers.md

@@ -0,0 +1,51 @@
+---
+description: Find the answers to container security related FAQs
+keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, platform, Docker Scout, admin, security
+title: Container security FAQs
+tags: [FAQ]
+aliases:
+- /faq/security/containers/
+---
+
+### How are containers isolated from the host in Docker Desktop?
+
+Docker Desktop runs all containers inside a customized / minimal Linux virtual
+machine (except for native Windows containers). This adds a strong layer of
+isolation between containers and the host the machine, even if containers are
+running rootful.
+
+However note the following:
+
+* Containers have access to host files configured for file sharing via Settings
+  -> Resources -> File Sharing (see the next FAQ question below for more info).
+
+* By default, containers run as root but with limited capabilities inside the
+  Docker Desktop VM. Containers running with elevated privileges (e.g.,
+  `--privileged`, `--pid=host`, `--cap-add`, etc.) run as root with elevated
+  privileges inside the Docker Desktop VM which gives them access to Docker
+  Desktop VM internals, including the Docker Engine. Thus, users must be careful
+  which containers they run with such privileges to avoid security breaches by
+  malicious container images.
+
+* If [Enhanced Container Isolation (ECI)](../../desktop/hardened-desktop/enhanced-container-isolation/_index.md)
+  mode is enabled, then each container runs within a dedicated Linux User
+  Namespace inside the Docker Desktop VM, which means the container has no
+  privileges within the Docker Desktop VM. Even when using the `--privileged`
+  flag or similar, the container processes will only be privileged within the
+  container's logical boundary, but unprivileged otherwise. In addition, ECI protects
+  uses other advanced techniques to ensure they can't easily breach
+  the Docker Desktop VM and Docker Engine within (see the ECI section for more
+  info). No changes to the containers or user workflows are required as the
+  extra protection is added under the covers.
+
+### To which portions of the host filesystem do containers have read and write access?
+
+Containers can only access host files if these are shared via Settings -> Resources -> File Sharing,
+and only when such files are bind-mounted into the container (e.g., `docker run -v /path/to/host/file:/mnt ...`).
+
+### Can containers running as root gain access to admin-owned files or directories on the host?
+
+No; host file sharing (bind mount from the host filesystem) uses a user-space crafted
+file server (running in `com.docker.backend` as the user running Docker
+Desktop), so containers can’t gain any access that the user on the host doesn’t
+already have.

content/security/faqs/general.md

@@ -1,6 +1,6 @@
 ---
 description: Find the answers to common security related FAQs
-keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, Docker Scout, admin, security
+keywords: Docker, Docker Hub, Docker Desktop security FAQs, platform, Docker Scout, admin, security
 title: General security FAQs
 tags: [FAQ]
 aliases:
@@ -73,10 +73,6 @@ If SCIM isn't enabled, you have to manually remove PAT users from the organizati
 
 For information about the metadata stored by Docker Scout, see [Data handling](../../scout/data-handling.md).
 
-### To which portions of the host filesystem do containers have read and write access? Can containers running as root gain access to admin-owned files or directories on the host? 
-
-File sharing (bind mount from the host filesystem) uses a user-space crafted file server (running in `com.docker.backend` as the user running Docker Desktop), so containers can’t gain any access that the user on the host doesn’t already have.
-
 ### How are extensions within the Marketplace vetted for security prior to placement?
 
 Security vetting for extensions is on our roadmap however this vetting isn't currently done.
@@ -86,4 +82,3 @@ Extensions are not covered as part of Docker’s Third-Party Risk Management Pro
 ### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub?
 
 No. With [Registry Access Management](../../security/for-admins/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub.
-

content/security/faqs/networking-and-vms.md

@@ -1,6 +1,6 @@
 ---
 description: Find the answers to FAQs related to networking and virtualization
-keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, networks, vms
+keywords: Docker, Docker Hub, Docker Desktop security FAQs, security, platform, networks, vms
 title: Network and VM FAQs
 tags: [FAQ]
 aliases:

data/toc.yaml

@@ -1180,6 +1180,8 @@ Manuals:
             title: Advanced configuration options
           - path: /desktop/hardened-desktop/enhanced-container-isolation/limitations/
             title: Limitations
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
+            title: FAQ
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/
@@ -2214,8 +2216,8 @@ Manuals:
       title: General
     - path: /security/faqs/networking-and-vms/
       title: Networking and VMs
-    - path: /security/faqs/eci-faq/
-      title: Enhanced Container Isolation
+    - path: /security/faqs/containers/
+      title: Containers
     - sectiontitle: Single Sign-On
       section:
       - path: /security/faqs/single-sign-on/faqs/