diff options
Diffstat (limited to 'pkg/spec/spec.go')
| -rw-r--r-- | pkg/spec/spec.go | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index c2c5e0900..0d953ff6f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -268,7 +268,9 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM // SECURITY OPTS g.SetProcessNoNewPrivileges(config.NoNewPrivs) - g.SetProcessApparmorProfile(config.ApparmorProfile) + if !config.Privileged { + g.SetProcessApparmorProfile(config.ApparmorProfile) + } blockAccessToKernelFilesystems(config, &g) @@ -355,6 +357,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM if addedResources && !cgroup2 { return nil, errors.New("invalid configuration, cannot set resources with rootless containers not using cgroups v2 unified mode") } + if !cgroup2 { + // Force the resources block to be empty instead of having default values. + configSpec.Linux.Resources = &spec.LinuxResources{} + } } // Make sure that the bind mounts keep options like nosuid, noexec, nodev. |