diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/api/handlers/generic/images.go | 2 | ||||
| -rw-r--r-- | pkg/api/handlers/utils/containers.go | 2 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 26 |
3 files changed, 21 insertions, 9 deletions
diff --git a/pkg/api/handlers/generic/images.go b/pkg/api/handlers/generic/images.go index afd107207..1ced499d9 100644 --- a/pkg/api/handlers/generic/images.go +++ b/pkg/api/handlers/generic/images.go @@ -255,7 +255,7 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) { tag – Tag or digest. If empty when pulling an image, this causes all tags for the given image to be pulled. */ fromImage := query.FromImage - if len(query.Tag) < 1 { + if len(query.Tag) >= 1 { fromImage = fmt.Sprintf("%s:%s", fromImage, query.Tag) } diff --git a/pkg/api/handlers/utils/containers.go b/pkg/api/handlers/utils/containers.go index 74485edf2..c9bb9cf09 100644 --- a/pkg/api/handlers/utils/containers.go +++ b/pkg/api/handlers/utils/containers.go @@ -15,7 +15,7 @@ import ( func KillContainer(w http.ResponseWriter, r *http.Request) (*libpod.Container, error) { runtime := r.Context().Value("runtime").(*libpod.Runtime) - decoder := r.Context().Value("decorder").(*schema.Decoder) + decoder := r.Context().Value("decoder").(*schema.Decoder) query := struct { Signal syscall.Signal `schema:"signal"` }{ diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index b2a152a2d..21b6bc3b3 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -241,23 +241,35 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } // SECURITY OPTS + var runtimeConfig *libpodconfig.Config + + if runtime != nil { + runtimeConfig, err = runtime.GetConfig() + if err != nil { + return nil, err + } + } + g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs) if !config.Security.Privileged { g.SetProcessApparmorProfile(config.Security.ApparmorProfile) } - blockAccessToKernelFilesystems(config, &g) - - var runtimeConfig *libpodconfig.Config - - if runtime != nil { - runtimeConfig, err = runtime.GetConfig() - if err != nil { + // Unless already set via the CLI, check if we need to disable process + // labels or set the defaults. + if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil { + if !runtimeConfig.EnableLabeling { + // Disabled in the config. + config.Security.LabelOpts = append(config.Security.LabelOpts, "disable") + } else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil { + // Defaults! return nil, err } } + blockAccessToKernelFilesystems(config, &g) + // RESOURCES - PIDS if config.Resources.PidsLimit > 0 { // if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids |