Add note that docker builds are not always protected by ECI. (#19900)

* Add note that docker build are not always protected by ECI.

Signed-off-by: Cesar Talledo <[email protected]>

* Add ECI limitations to TOC.

Signed-off-by: Cesar Talledo <[email protected]>

---------

Signed-off-by: Cesar Talledo <[email protected]>

Author: ctalledo

content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md

@@ -56,6 +56,24 @@ and it's an excellent way for users to run their favorite Linux distro on
 Windows hosts and access Docker from within (see Docker Desktop's WSL distro
 integration feature, enabled via the Dashboard's **Settings** > **Resources** > **WSL Integration**).
 
+### Docker Builds with the "Docker" driver are not protected by ECI
+
+Prior to Docker Desktop 4.30, `docker build` commands that use the buildx
+`docker` driver (the default) are not protected by ECI (i.e., the build runs
+rootful inside the Docker Desktop VM).
+
+Starting with Docker Desktop 4.30, `docker build` commands that use the buildx
+`docker` driver are protected by ECI (i.e., the build runs rootless inside
+the Docker Desktop VM), except when Docker Desktop is configured to use WSL 2
+(on Windows hosts). We expect to improve on this in future versions of Docker
+Desktop.
+
+Note that `docker build` commands that use the `docker-container` driver are
+always protected by ECI (i.e., the build runs inside a rootless Docker
+container). This is true since Docker Desktop 4.19 (when ECI was introduced) and
+on all platforms where Docker Desktop is supported (Windows with WSL or Hyper-V,
+Mac, and Linux).
+
 ### Docker Build and Buildx have some restrictions
 
 With ECI enabled, Docker build `--network=host` and Docker Buildx entitlements

content/security/faqs/eci-faq.md

@@ -67,11 +67,19 @@ See [ECI Docker socket mount permissions](../../desktop/hardened-desktop/enhance
 ### Does ECI protect all containers launched with Docker Desktop?
 
 Not yet. It protects all containers launched by users via `docker create` and
-`docker run`. In addition, it protects containers implicitly used by `docker build`, when
-using the [docker-container build driver](../../build/drivers/_index.md).
+`docker run`.
 
-It does not yet protect containers implicitly used by `docker build` with the
-`docker` build driver, nor Docker Desktop Kubernetes pods, Extension containers,
+Prior to Docker Desktop 4.30, it did not protect containers implicitly used by
+`docker build` with the `docker` build driver (the default driver). Starting
+with Docker Desktop 4.30, it protects such containers, except for Docker Desktop
+on WSL 2 (Windows hosts).
+
+Note that ECI always protects containers used by `docker build`, when using the
+[docker-container build driver](../../build/drivers/_index.md), since Docker
+Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac,
+and Linux).
+
+ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers,
 and [Dev Environments containers](../../desktop/dev-environments/_index.md).
 
 ### Does ECI protect containers launched prior to enabling ECI?

data/toc.yaml

@@ -1116,7 +1116,7 @@ Manuals:
   section:
     - path: /desktop/
       title: Overview
-    - sectiontitle: Install 
+    - sectiontitle: Install
       section:
        - path: /desktop/install/mac-install/
          title: Mac
@@ -1178,6 +1178,8 @@ Manuals:
             title: Key features and benefits
           - path: /desktop/hardened-desktop/enhanced-container-isolation/config/
             title: Advanced configuration options
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/limitations/
+            title: Limitations
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/