summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-11-02 14:45:54 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-11-02 15:46:56 +0100
commitafa4ec0db01b620be540e72e25fc86092e2fa303 (patch)
tree79e8b6fe947e1b817e742eb35a2066bd8231edca /pkg/specgen
parent6a9442909869a949d8930b24f9c0021022528333 (diff)
downloadpodman-afa4ec0db01b620be540e72e25fc86092e2fa303.tar.gz
podman-afa4ec0db01b620be540e72e25fc86092e2fa303.tar.bz2
podman-afa4ec0db01b620be540e72e25fc86092e2fa303.zip
specgen: keep capabilities with --userns=keep-id
if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/security.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index be6555195..dee140282 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -137,7 +137,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
user := strings.Split(s.User, ":")[0]
- if user == "" || user == "root" || user == "0" {
+ if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
} else {