6 files changed, 40 insertions, 21 deletions
diff --git a/.papr.yml b/.papr.yml
index 88bee2924..8332fa50a 100644
--- a/.papr.yml
+++ b/.papr.yml
@@ -38,7 +38,7 @@ context: "CAH smoketested"
 
 inherit: true
 host:
-    distro: fedora/27/cloud
+    distro: fedora/27/cloud/pungi
     specs:
         ram: 8192
         cpus: 4
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index d535383ba..c4202fcef 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -665,7 +665,6 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
 	}
 
 	options = append(options, libpod.WithPrivileged(c.Privileged))
-	options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
 	return options, nil
 }
 
diff --git a/libpod/container_api.go b/libpod/container_api.go
index f79be4ac7..eeba36a44 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -236,11 +236,12 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 	globalOpts := runcGlobalOptions{
 		log: c.LogPath(),
 	}
+
 	execOpts := runcExecOptions{
 		capAdd:     capList,
 		pidFile:    filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
 		env:        env,
-		noNewPrivs: c.config.NoNewPrivs,
+		noNewPrivs: c.config.Spec.Process.NoNewPrivileges,
 		user:       user,
 		cwd:        c.config.Spec.Process.Cwd,
 		tty:        tty,
diff --git a/libpod/options.go b/libpod/options.go
index 6982a26c2..56e8fa203 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -272,18 +272,6 @@ func WithPrivileged(privileged bool) CtrCreateOption {
 	}
 }
 
-// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
-func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
-	return func(ctr *Container) error {
-		if ctr.valid {
-			return ErrCtrFinalized
-		}
-
-		ctr.config.NoNewPrivs = noNewPrivs
-		return nil
-	}
-}
-
 // WithSELinuxLabels sets the mount label for SELinux
 func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
 	return func(ctr *Container) error {
diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go
index bd117d5f4..ed9694092 100644
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
 	sstorage "github.com/containers/storage"
+	"github.com/containers/storage/pkg/parsers/kernel"
 	"github.com/containers/storage/pkg/reexec"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -72,6 +73,10 @@ func TestLibpod(t *testing.T) {
 	if reexec.Init() {
 		os.Exit(1)
 	}
+	if os.Getenv("NOCACHE") == "1" {
+		CACHE_IMAGES = []string{}
+		RESTORE_IMAGES = []string{}
+	}
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "Libpod Suite")
 }
@@ -480,3 +485,24 @@ func (p *PodmanTest) GetHostDistribution() string {
 	}
 	return ""
 }
+
+// IsKernelNewThan compares the current kernel version to one provided.  If
+// the kernel is equal to or greater, returns true
+func IsKernelNewThan(version string) (bool, error) {
+	inputVersion, err := kernel.ParseRelease(version)
+	if err != nil {
+		return false, err
+	}
+	kv, err := kernel.GetKernelVersion()
+	if err == nil {
+		return false, err
+	}
+	// CompareKernelVersion compares two kernel.VersionInfo structs.
+	// Returns -1 if a < b, 0 if a == b, 1 it a > b
+	result := kernel.CompareKernelVersion(*kv, *inputVersion)
+	if result >= 0 {
+		return true, nil
+	}
+	return false, nil
+
+}
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index 3df90b218..6692c91c7 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -1,12 +1,11 @@
 package integration
 
 import (
-	"fmt"
 	"os"
+	"strings"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-	"strings"
 )
 
 var _ = Describe("Podman privileged container tests", func() {
@@ -84,23 +83,29 @@ var _ = Describe("Podman privileged container tests", func() {
 	})
 
 	It("run no-new-privileges test", func() {
+		// Check if our kernel is new enough
+		k, err := IsKernelNewThan("4.14")
+		Expect(err).To(BeNil())
+		if !k {
+			Skip("Kernel is not new enough to test this feature")
+		}
+
 		cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
 		cap.WaitWithDefaultTimeout()
 		if cap.ExitCode() != 0 {
-			fmt.Println("Can't determine NoNewPrivs")
-			return
+			Skip("Can't determine NoNewPrivs")
 		}
 
 		session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
-		privs := strings.Split(cap.OutputToString(), ":")
 
+		privs := strings.Split(cap.OutputToString(), ":")
 		session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
-		noprivs := strings.Split(cap.OutputToString(), ":")
 
+		noprivs := strings.Split(cap.OutputToString(), ":")
 		Expect(privs[1]).To(Not(Equal(noprivs[1])))
 	})