summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/oci.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate/oci.go')
-rw-r--r--pkg/specgen/generate/oci.go32
1 files changed, 12 insertions, 20 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 140dc5092..78cd32253 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -5,11 +5,11 @@ import (
"strings"
"github.com/containers/common/pkg/config"
- "github.com/containers/libpod/v2/libpod"
- "github.com/containers/libpod/v2/libpod/define"
- "github.com/containers/libpod/v2/libpod/image"
- "github.com/containers/libpod/v2/pkg/rootless"
- "github.com/containers/libpod/v2/pkg/specgen"
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/libpod/define"
+ "github.com/containers/podman/v2/libpod/image"
+ "github.com/containers/podman/v2/pkg/rootless"
+ "github.com/containers/podman/v2/pkg/specgen"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -20,10 +20,9 @@ import (
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
var (
- kernelMax uint64 = 1048576
- isRootless = rootless.IsRootless()
- nofileSet = false
- nprocSet = false
+ isRootless = rootless.IsRootless()
+ nofileSet = false
+ nprocSet = false
)
if s.Rlimits == nil {
@@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
if !nofileSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
}
if !nprocSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
@@ -286,13 +285,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
}
- // SECURITY OPTS
- g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
- if !s.Privileged {
- g.SetProcessApparmorProfile(s.ApparmorProfile)
- }
-
BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), &g)
for name, val := range s.Env {
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-09 19:54:44 +0000