summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_api.go13
-rw-r--r--libpod/options.go12
2 files changed, 19 insertions, 6 deletions
diff --git a/libpod/container_api.go b/libpod/container_api.go
index 2dfb166ec..f79be4ac7 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
log: c.LogPath(),
}
execOpts := runcExecOptions{
- capAdd: capList,
- pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
- env: env,
- user: user,
- cwd: c.config.Spec.Process.Cwd,
- tty: tty,
+ capAdd: capList,
+ pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
+ env: env,
+ noNewPrivs: c.config.NoNewPrivs,
+ user: user,
+ cwd: c.config.Spec.Process.Cwd,
+ tty: tty,
}
return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts)
diff --git a/libpod/options.go b/libpod/options.go
index 56e8fa203..6982a26c2 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption {
}
}
+// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
+func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return ErrCtrFinalized
+ }
+
+ ctr.config.NoNewPrivs = noNewPrivs
+ return nil
+ }
+}
+
// WithSELinuxLabels sets the mount label for SELinux
func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
return func(ctr *Container) error {
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-18 10:07:10 +0000