diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-05-31 05:07:28 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-31 05:07:28 -0400 |
| commit | ccc087a30e7f84d656663e0b60cd2b918f5288fd (patch) | |
| tree | c732991d79c60b6d591128210ae9a8e1b6356f16 | |
| parent | a550af260a536aeaa35e4b8810971748a6f16f5f (diff) | |
| parent | 7e69e2b53291dc839ea98c3b06d1c49ffe4bc90d (diff) | |
| download | podman-ccc087a30e7f84d656663e0b60cd2b918f5288fd.tar.gz podman-ccc087a30e7f84d656663e0b60cd2b918f5288fd.tar.bz2 podman-ccc087a30e7f84d656663e0b60cd2b918f5288fd.zip | |
Merge pull request #14415 from nicrowe00/14133
no-new-privileges format
| -rw-r--r-- | pkg/specgenutil/specgen.go | 15 | ||||
| -rw-r--r-- | test/system/030-run.bats | 11 |
2 files changed, 25 insertions, 1 deletions
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 9cb2f200b..efaade9cd 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions if opt == "no-new-privileges" { s.ContainerSecurityConfig.NoNewPrivileges = true } else { - con := strings.SplitN(opt, "=", 2) + // Docker deprecated the ":" syntax but still supports it, + // so we need to as well + var con []string + if strings.Contains(opt, "=") { + con = strings.SplitN(opt, "=", 2) + } else { + con = strings.SplitN(opt, ":", 2) + } if len(con) != 2 { return fmt.Errorf("invalid --security-opt 1: %q", opt) } @@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions } case "unmask": s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...) + case "no-new-privileges": + noNewPrivileges, err := strconv.ParseBool(con[1]) + if err != nil { + return fmt.Errorf("invalid --security-opt 2: %q", opt) + } + s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges default: return fmt.Errorf("invalid --security-opt 2: %q", opt) } diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 283c3aea9..241831257 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -855,4 +855,15 @@ EOF run_podman rmi $test_image } +@test "podman create --security-opt" { + run_podman create --security-opt no-new-privileges=true $IMAGE + run_podman rm $output + run_podman create --security-opt no-new-privileges:true $IMAGE + run_podman rm $output + run_podman create --security-opt no-new-privileges=false $IMAGE + run_podman rm $output + run_podman create --security-opt no-new-privileges $IMAGE + run_podman rm $output +} + # vim: filetype=sh |