Allow system owner to specify certificates/constraints for containers. Consider executing different systems (from different sources) on the host and inside container. They are signed by different certificates. However it should not be possible to execute in-container binary on the host system (and ideally it should not be possible to execute host binary inside container). It must be System Owner (rather than root user) who controls these constraints.
Allow system owner to specify certificates/constraints for containers. Consider executing different systems (from different sources) on the host and inside container. They are signed by different certificates. However it should not be possible to execute in-container binary on the host system (and ideally it should not be possible to execute host binary inside container). It must be System Owner (rather than root user) who controls these constraints.