Add support for --no-new-privs

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #369 Approved by: rhatdan
2025-12-05 04:40:47 +08:00 · 2018-02-15 12:23:36 -05:00
parent 1d9539337b
commit 831dc48883
5 changed files with 46 additions and 9 deletions
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 		log: c.LogPath(),
 	}
 	execOpts := runcExecOptions{
-		capAdd:  capList,
-		pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
-		env:     env,
-		user:    user,
-		cwd:     c.config.Spec.Process.Cwd,
-		tty:     tty,
+		capAdd:     capList,
+		pidFile:    filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
+		env:        env,
+		noNewPrivs: c.config.NoNewPrivs,
+		user:       user,
+		cwd:        c.config.Spec.Process.Cwd,
+		tty:        tty,
 	}

 	return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts)
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption {
 	}
 }

+// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
+func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return ErrCtrFinalized
+		}
+
+		ctr.config.NoNewPrivs = noNewPrivs
+		return nil
+	}
+}
+
 // WithSELinuxLabels sets the mount label for SELinux
 func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
 	return func(ctr *Container) error {