diff options
-rw-r--r-- | cmd/podman/create.go | 4 | ||||
-rw-r--r-- | cmd/podman/spec.go | 3 | ||||
-rw-r--r-- | libpod/container_api.go | 13 | ||||
-rw-r--r-- | libpod/options.go | 12 | ||||
-rw-r--r-- | test/e2e/run_privileged_test.go | 23 |
5 files changed, 46 insertions, 9 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index 810a5e3ed..46429b335 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -128,7 +128,7 @@ type createConfig struct { WorkDir string //workdir MountLabel string //SecurityOpts ProcessLabel string //SecurityOpts - NoNewPrivileges bool //SecurityOpts + NoNewPrivs bool //SecurityOpts ApparmorProfile string //SecurityOpts SeccompProfilePath string //SecurityOpts SecurityOpts []string @@ -252,7 +252,7 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error { for _, opt := range securityOpts { if opt == "no-new-privileges" { - config.NoNewPrivileges = true + config.NoNewPrivs = true } else { con := strings.SplitN(opt, "=", 2) if len(con) != 2 { diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index 2c2005399..d535383ba 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -259,7 +259,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { } // SECURITY OPTS - g.SetProcessNoNewPrivileges(config.NoNewPrivileges) + g.SetProcessNoNewPrivileges(config.NoNewPrivs) g.SetProcessApparmorProfile(config.ApparmorProfile) g.SetProcessSelinuxLabel(config.ProcessLabel) g.SetLinuxMountLabel(config.MountLabel) @@ -665,6 +665,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er } options = append(options, libpod.WithPrivileged(c.Privileged)) + options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs)) return options, nil } diff --git a/libpod/container_api.go b/libpod/container_api.go index 2dfb166ec..f79be4ac7 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e log: c.LogPath(), } execOpts := runcExecOptions{ - capAdd: capList, - pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])), - env: env, - user: user, - cwd: c.config.Spec.Process.Cwd, - tty: tty, + capAdd: capList, + pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])), + env: env, + noNewPrivs: c.config.NoNewPrivs, + user: user, + cwd: c.config.Spec.Process.Cwd, + tty: tty, } return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts) diff --git a/libpod/options.go b/libpod/options.go index 56e8fa203..6982a26c2 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption { } } +// WithNoNewPrivs sets the noNewPrivs flag in the container runtime +func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return ErrCtrFinalized + } + + ctr.config.NoNewPrivs = noNewPrivs + return nil + } +} + // WithSELinuxLabels sets the mount label for SELinux func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption { return func(ctr *Container) error { diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go index 430698ba1..3df90b218 100644 --- a/test/e2e/run_privileged_test.go +++ b/test/e2e/run_privileged_test.go @@ -1,6 +1,7 @@ package integration import ( + "fmt" "os" . "github.com/onsi/ginkgo" @@ -81,4 +82,26 @@ var _ = Describe("Podman privileged container tests", func() { Expect(session.ExitCode()).To(Equal(0)) Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20)) }) + + It("run no-new-privileges test", func() { + cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"}) + cap.WaitWithDefaultTimeout() + if cap.ExitCode() != 0 { + fmt.Println("Can't determine NoNewPrivs") + return + } + + session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + privs := strings.Split(cap.OutputToString(), ":") + + session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + noprivs := strings.Split(cap.OutputToString(), ":") + + Expect(privs[1]).To(Not(Equal(noprivs[1]))) + }) + }) |