summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/inspect.go2
-rw-r--r--cmd/podman/spec.go1
-rw-r--r--libpod/options.go12
-rw-r--r--test/podman_run_security.bats34
4 files changed, 48 insertions, 1 deletions
diff --git a/cmd/podman/inspect.go b/cmd/podman/inspect.go
index 5e9fc53bb..01de6587d 100644
--- a/cmd/podman/inspect.go
+++ b/cmd/podman/inspect.go
@@ -188,7 +188,7 @@ func getCtrInspectInfo(ctr *libpod.Container, ctrInspectData *libpod.ContainerIn
MemorySwappiness: memSwappiness,
OomKillDisable: memDisableOOMKiller,
PidsLimit: pidsLimit,
- Privileged: spec.Process.NoNewPrivileges,
+ Privileged: config.Privileged,
ReadonlyRootfs: spec.Root.Readonly,
Runtime: ctr.RuntimeName(),
NetworkMode: string(createArtifact.NetMode),
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index cb9efdcb2..d18da79ea 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -608,6 +608,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
options = append(options, libpod.WithHosts(c.HostAdd))
}
+ options = append(options, libpod.WithPrivileged(c.Privileged))
return options, nil
}
diff --git a/libpod/options.go b/libpod/options.go
index f82cb20c4..28962b4b5 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -268,6 +268,18 @@ func WithShmSize(size int64) CtrCreateOption {
}
}
+// WithPrivileged sets the privileged flag in the container runtime
+func WithPrivileged(privileged bool) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return ErrCtrFinalized
+ }
+
+ ctr.config.Privileged = privileged
+ return nil
+ }
+}
+
// WithSELinuxLabels sets the mount label for SELinux
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
return func(ctr *Container) error {
diff --git a/test/podman_run_security.bats b/test/podman_run_security.bats
new file mode 100644
index 000000000..07dabf44b
--- /dev/null
+++ b/test/podman_run_security.bats
@@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+ cleanup_test
+}
+
+function setup() {
+ copy_images
+}
+
+@test "run privileged test" {
+ cap=$(grep CapEff /proc/self/status | cut -f2 -d":")
+
+ run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --privileged ${ALPINE} grep CapEff /proc/self/status
+ echo $output
+ [ "$status" -eq 0 ]
+ containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+ [ $containercap = $cap ]
+
+ run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-add all ${ALPINE} grep CapEff /proc/self/status
+ echo $output
+ [ "$status" -eq 0 ]
+ containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+ [ $containercap = $cap ]
+
+ cap=$(grep CapAmb /proc/self/status | cut -f2 -d":")
+ run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-drop all ${ALPINE} grep CapEff /proc/self/status
+ echo $output
+ [ "$status" -eq 0 ]
+ containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+ [ $containercap = $cap ]
+}