diff options
author | Niall Crowe <nicrowe@redhat.com> | 2022-05-30 11:11:00 +0100 |
---|---|---|
committer | Niall Crowe <nicrowe@redhat.com> | 2022-05-30 15:06:42 +0100 |
commit | 7e69e2b53291dc839ea98c3b06d1c49ffe4bc90d (patch) | |
tree | c732991d79c60b6d591128210ae9a8e1b6356f16 /pkg/specgenutil | |
parent | a550af260a536aeaa35e4b8810971748a6f16f5f (diff) | |
download | podman-7e69e2b53291dc839ea98c3b06d1c49ffe4bc90d.tar.gz podman-7e69e2b53291dc839ea98c3b06d1c49ffe4bc90d.tar.bz2 podman-7e69e2b53291dc839ea98c3b06d1c49ffe4bc90d.zip |
Podman no-new-privileges format
In docker, the format of no-new-privileges is
"no-new-privileges:true". However, for Podman
all that's required is "no-new-privileges", leading to issues
when attempting to use features desgined for docker in podman.
Adding support for the ":" format to be used along with the "="
format, depedning on which one is entered by the user.
fixes #14133
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
Diffstat (limited to 'pkg/specgenutil')
-rw-r--r-- | pkg/specgenutil/specgen.go | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 9cb2f200b..efaade9cd 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions if opt == "no-new-privileges" { s.ContainerSecurityConfig.NoNewPrivileges = true } else { - con := strings.SplitN(opt, "=", 2) + // Docker deprecated the ":" syntax but still supports it, + // so we need to as well + var con []string + if strings.Contains(opt, "=") { + con = strings.SplitN(opt, "=", 2) + } else { + con = strings.SplitN(opt, ":", 2) + } if len(con) != 2 { return fmt.Errorf("invalid --security-opt 1: %q", opt) } @@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions } case "unmask": s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...) + case "no-new-privileges": + noNewPrivileges, err := strconv.ParseBool(con[1]) + if err != nil { + return fmt.Errorf("invalid --security-opt 2: %q", opt) + } + s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges default: return fmt.Errorf("invalid --security-opt 2: %q", opt) } |