Add support for --no-new-privs

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #369 Approved by: rhatdan
2025-12-05 04:40:47 +08:00 · 2018-02-15 12:23:36 -05:00
parent 1d9539337b
commit 831dc48883
5 changed files with 46 additions and 9 deletions
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -128,7 +128,7 @@ type createConfig struct {
 	WorkDir            string            //workdir
 	MountLabel         string            //SecurityOpts
 	ProcessLabel       string            //SecurityOpts
-	NoNewPrivileges    bool              //SecurityOpts
+	NoNewPrivs         bool              //SecurityOpts
 	ApparmorProfile    string            //SecurityOpts
 	SeccompProfilePath string            //SecurityOpts
 	SecurityOpts       []string
@@ -252,7 +252,7 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {

 	for _, opt := range securityOpts {
 		if opt == "no-new-privileges" {
-			config.NoNewPrivileges = true
+			config.NoNewPrivs = true
 		} else {
 			con := strings.SplitN(opt, "=", 2)
 			if len(con) != 2 {
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -259,7 +259,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	}

 	// SECURITY OPTS
-	g.SetProcessNoNewPrivileges(config.NoNewPrivileges)
+	g.SetProcessNoNewPrivileges(config.NoNewPrivs)
 	g.SetProcessApparmorProfile(config.ApparmorProfile)
 	g.SetProcessSelinuxLabel(config.ProcessLabel)
 	g.SetLinuxMountLabel(config.MountLabel)
@@ -665,6 +665,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
 	}

 	options = append(options, libpod.WithPrivileged(c.Privileged))
+	options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
 	return options, nil
 }