diff options
-rw-r--r-- | cmd/podman/inspect.go | 2 | ||||
-rw-r--r-- | cmd/podman/spec.go | 1 | ||||
-rw-r--r-- | libpod/options.go | 12 | ||||
-rw-r--r-- | test/podman_run_security.bats | 34 |
4 files changed, 48 insertions, 1 deletions
diff --git a/cmd/podman/inspect.go b/cmd/podman/inspect.go index 5e9fc53bb..01de6587d 100644 --- a/cmd/podman/inspect.go +++ b/cmd/podman/inspect.go @@ -188,7 +188,7 @@ func getCtrInspectInfo(ctr *libpod.Container, ctrInspectData *libpod.ContainerIn MemorySwappiness: memSwappiness, OomKillDisable: memDisableOOMKiller, PidsLimit: pidsLimit, - Privileged: spec.Process.NoNewPrivileges, + Privileged: config.Privileged, ReadonlyRootfs: spec.Root.Readonly, Runtime: ctr.RuntimeName(), NetworkMode: string(createArtifact.NetMode), diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index cb9efdcb2..d18da79ea 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -608,6 +608,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er options = append(options, libpod.WithHosts(c.HostAdd)) } + options = append(options, libpod.WithPrivileged(c.Privileged)) return options, nil } diff --git a/libpod/options.go b/libpod/options.go index f82cb20c4..28962b4b5 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -268,6 +268,18 @@ func WithShmSize(size int64) CtrCreateOption { } } +// WithPrivileged sets the privileged flag in the container runtime +func WithPrivileged(privileged bool) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return ErrCtrFinalized + } + + ctr.config.Privileged = privileged + return nil + } +} + // WithSELinuxLabels sets the mount label for SELinux func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption { return func(ctr *Container) error { diff --git a/test/podman_run_security.bats b/test/podman_run_security.bats new file mode 100644 index 000000000..07dabf44b --- /dev/null +++ b/test/podman_run_security.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats + +load helpers + +function teardown() { + cleanup_test +} + +function setup() { + copy_images +} + +@test "run privileged test" { + cap=$(grep CapEff /proc/self/status | cut -f2 -d":") + + run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --privileged ${ALPINE} grep CapEff /proc/self/status + echo $output + [ "$status" -eq 0 ] + containercap=$(echo $output | tr -d '\r'| cut -f2 -d":") + [ $containercap = $cap ] + + run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-add all ${ALPINE} grep CapEff /proc/self/status + echo $output + [ "$status" -eq 0 ] + containercap=$(echo $output | tr -d '\r'| cut -f2 -d":") + [ $containercap = $cap ] + + cap=$(grep CapAmb /proc/self/status | cut -f2 -d":") + run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-drop all ${ALPINE} grep CapEff /proc/self/status + echo $output + [ "$status" -eq 0 ] + containercap=$(echo $output | tr -d '\r'| cut -f2 -d":") + [ $containercap = $cap ] +} |