Mention ECI in the Mac/Windows permission requirements section. (#19607)

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

content/desktop/mac/permission-requirements.md

@@ -166,4 +166,22 @@ $ rm /Library/PrivilegedHelperTools/com.docker.vmnetd
 
 ## Containers running as root within the Linux VM
 
-The Docker daemon and containers run in a lightweight Linux VM managed by Docker. This means that although containers run by default as `root`, this doesn't grant `root` access to the Mac host machine. The Linux VM serves as a security boundary and limits what resources can be accessed from the host. Any directories from the host bind mounted into Docker containers still retain their original permissions.
+With Docker Desktop, the Docker daemon and containers run in a lightweight Linux
+VM managed by Docker. This means that although containers run by default as
+`root`, this doesn't grant `root` access to the Mac host machine. The Linux VM
+serves as a security boundary and limits what resources can be accessed from the
+host. Any directories from the host bind mounted into Docker containers still
+retain their original permissions.
+
+## Enhanced Container Isolation
+
+In addition, Docker Desktop supports [Enhanced Container Isolation
+mode](../hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
+available to Business customers only, which further secures containers without
+impacting developer workflows.
+
+ECI automatically runs all containers within a Linux user-namespace, such that
+root in the container is mapped to an unprivileged user inside the Docker
+Desktop VM. ECI uses this and other advanced techniques to further secure
+containers within the Docker Desktop Linux VM, such that they are further
+isolated from the Docker daemon and other services running inside the VM.

content/desktop/windows/permission-requirements.md

@@ -39,8 +39,28 @@ The service start mode depends on which container engine is selected, and, for W
 
 ## Containers running as root within the Linux VM
 
-The Linux Docker daemon and containers run in a minimal, special-purpose Linux VM managed by Docker. It is immutable so you can’t extend it or change the installed software. 
-This means that although containers run by default as `root`, this doesn't allow altering the VM and doesn't grant `Administrator` access to the Windows host machine. The Linux VM serves as a security boundary and limits what resources from the host can be accessed. File sharing uses a user-space crafted file server and any directories from the host bind mounted into Docker containers still retain their original permissions. It doesn't give you access to any files that it doesn’t already have access to.
+The Linux Docker daemon and containers run in a minimal, special-purpose Linux
+VM managed by Docker. It is immutable so you can’t extend it or change the
+installed software.  This means that although containers run by default as
+`root`, this doesn't allow altering the VM and doesn't grant `Administrator`
+access to the Windows host machine. The Linux VM serves as a security boundary
+and limits what resources from the host can be accessed. File sharing uses a
+user-space crafted file server and any directories from the host bind mounted
+into Docker containers still retain their original permissions. It doesn't give
+you access to any files that it doesn’t already have access to.
+
+## Enhanced Container Isolation
+
+In addition, Docker Desktop supports [Enhanced Container Isolation
+mode](../hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
+available to Business customers only, which further secures containers without
+impacting developer workflows.
+
+ECI automatically runs all containers within a Linux user-namespace, such that
+root in the container is mapped to an unprivileged user inside the Docker
+Desktop VM. ECI uses this and other advanced techniques to further secure
+containers within the Docker Desktop Linux VM, such that they are further
+isolated from the Docker daemon and other services running inside the VM.
 
 ## Windows Containers