From 831dc488833e055dce1f1ba4c09f09346c85b67d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Feb 2018 12:23:36 -0500 Subject: Add support for --no-new-privs Signed-off-by: Daniel J Walsh Closes: #369 Approved by: rhatdan --- libpod/container_api.go | 13 +++++++------ libpod/options.go | 12 ++++++++++++ 2 files changed, 19 insertions(+), 6 deletions(-) (limited to 'libpod') diff --git a/libpod/container_api.go b/libpod/container_api.go index 2dfb166ec..f79be4ac7 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e log: c.LogPath(), } execOpts := runcExecOptions{ - capAdd: capList, - pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])), - env: env, - user: user, - cwd: c.config.Spec.Process.Cwd, - tty: tty, + capAdd: capList, + pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])), + env: env, + noNewPrivs: c.config.NoNewPrivs, + user: user, + cwd: c.config.Spec.Process.Cwd, + tty: tty, } return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts) diff --git a/libpod/options.go b/libpod/options.go index 56e8fa203..6982a26c2 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption { } } +// WithNoNewPrivs sets the noNewPrivs flag in the container runtime +func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return ErrCtrFinalized + } + + ctr.config.NoNewPrivs = noNewPrivs + return nil + } +} + // WithSELinuxLabels sets the mount label for SELinux func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption { return func(ctr *Container) error { -- cgit v1.2.3-54-g00ecf