diff options
| author | Niall Crowe <nicrowe@redhat.com> | 2022-05-30 11:11:00 +0100 |
|---|---|---|
| committer | Matthew Heon <mheon@redhat.com> | 2022-06-14 14:35:36 -0400 |
| commit | 5b6252467335656980cb4c3acdd5e7b0e2478429 (patch) | |
| tree | da4d2ce2bb5a20f974577c335702e65aa95bdaa8 /pkg | |
| parent | 8612facae52b6f45c291bda2bcda28d850b48128 (diff) | |
| download | podman-5b6252467335656980cb4c3acdd5e7b0e2478429.tar.gz podman-5b6252467335656980cb4c3acdd5e7b0e2478429.tar.bz2 podman-5b6252467335656980cb4c3acdd5e7b0e2478429.zip | |
Podman no-new-privileges format
In docker, the format of no-new-privileges is
"no-new-privileges:true". However, for Podman
all that's required is "no-new-privileges", leading to issues
when attempting to use features desgined for docker in podman.
Adding support for the ":" format to be used along with the "="
format, depedning on which one is entered by the user.
fixes #14133
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/specgenutil/specgen.go | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 9cb2f200b..efaade9cd 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions if opt == "no-new-privileges" { s.ContainerSecurityConfig.NoNewPrivileges = true } else { - con := strings.SplitN(opt, "=", 2) + // Docker deprecated the ":" syntax but still supports it, + // so we need to as well + var con []string + if strings.Contains(opt, "=") { + con = strings.SplitN(opt, "=", 2) + } else { + con = strings.SplitN(opt, ":", 2) + } if len(con) != 2 { return fmt.Errorf("invalid --security-opt 1: %q", opt) } @@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions } case "unmask": s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...) + case "no-new-privileges": + noNewPrivileges, err := strconv.ParseBool(con[1]) + if err != nil { + return fmt.Errorf("invalid --security-opt 2: %q", opt) + } + s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges default: return fmt.Errorf("invalid --security-opt 2: %q", opt) } |