summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/create.go4
-rw-r--r--cmd/podman/spec.go3
-rw-r--r--libpod/container_api.go13
-rw-r--r--libpod/options.go12
-rw-r--r--test/e2e/run_privileged_test.go23
5 files changed, 46 insertions, 9 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 810a5e3ed..46429b335 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -128,7 +128,7 @@ type createConfig struct {
WorkDir string //workdir
MountLabel string //SecurityOpts
ProcessLabel string //SecurityOpts
- NoNewPrivileges bool //SecurityOpts
+ NoNewPrivs bool //SecurityOpts
ApparmorProfile string //SecurityOpts
SeccompProfilePath string //SecurityOpts
SecurityOpts []string
@@ -252,7 +252,7 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {
for _, opt := range securityOpts {
if opt == "no-new-privileges" {
- config.NoNewPrivileges = true
+ config.NoNewPrivs = true
} else {
con := strings.SplitN(opt, "=", 2)
if len(con) != 2 {
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index 2c2005399..d535383ba 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -259,7 +259,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
// SECURITY OPTS
- g.SetProcessNoNewPrivileges(config.NoNewPrivileges)
+ g.SetProcessNoNewPrivileges(config.NoNewPrivs)
g.SetProcessApparmorProfile(config.ApparmorProfile)
g.SetProcessSelinuxLabel(config.ProcessLabel)
g.SetLinuxMountLabel(config.MountLabel)
@@ -665,6 +665,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
}
options = append(options, libpod.WithPrivileged(c.Privileged))
+ options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
return options, nil
}
diff --git a/libpod/container_api.go b/libpod/container_api.go
index 2dfb166ec..f79be4ac7 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
log: c.LogPath(),
}
execOpts := runcExecOptions{
- capAdd: capList,
- pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
- env: env,
- user: user,
- cwd: c.config.Spec.Process.Cwd,
- tty: tty,
+ capAdd: capList,
+ pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
+ env: env,
+ noNewPrivs: c.config.NoNewPrivs,
+ user: user,
+ cwd: c.config.Spec.Process.Cwd,
+ tty: tty,
}
return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts)
diff --git a/libpod/options.go b/libpod/options.go
index 56e8fa203..6982a26c2 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption {
}
}
+// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
+func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return ErrCtrFinalized
+ }
+
+ ctr.config.NoNewPrivs = noNewPrivs
+ return nil
+ }
+}
+
// WithSELinuxLabels sets the mount label for SELinux
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
return func(ctr *Container) error {
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index 430698ba1..3df90b218 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -1,6 +1,7 @@
package integration
import (
+ "fmt"
"os"
. "github.com/onsi/ginkgo"
@@ -81,4 +82,26 @@ var _ = Describe("Podman privileged container tests", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
})
+
+ It("run no-new-privileges test", func() {
+ cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
+ cap.WaitWithDefaultTimeout()
+ if cap.ExitCode() != 0 {
+ fmt.Println("Can't determine NoNewPrivs")
+ return
+ }
+
+ session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ privs := strings.Split(cap.OutputToString(), ":")
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ noprivs := strings.Split(cap.OutputToString(), ":")
+
+ Expect(privs[1]).To(Not(Equal(noprivs[1])))
+ })
+
})