Add support for --no-new-privs

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #369 Approved by: rhatdan
2025-05-21 17:16:22 +08:00 · 2018-02-15 12:23:36 -05:00
parent 1d9539337b
commit 831dc48883
5 changed files with 46 additions and 9 deletions
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@ -128,7 +128,7 @@ type createConfig struct {
 	WorkDir            string            //workdir
 	MountLabel         string            //SecurityOpts
 	ProcessLabel       string            //SecurityOpts
-	NoNewPrivileges    bool              //SecurityOpts
+	NoNewPrivs         bool              //SecurityOpts
 	ApparmorProfile    string            //SecurityOpts
 	SeccompProfilePath string            //SecurityOpts
 	SecurityOpts       []string
@ -252,7 +252,7 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {
 	for _, opt := range securityOpts {
 		if opt == "no-new-privileges" {
-			config.NoNewPrivileges = true
+			config.NoNewPrivs = true
 		} else {
 			con := strings.SplitN(opt, "=", 2)
 			if len(con) != 2 {
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@ -259,7 +259,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	}
 	// SECURITY OPTS
-	g.SetProcessNoNewPrivileges(config.NoNewPrivileges)
+	g.SetProcessNoNewPrivileges(config.NoNewPrivs)
 	g.SetProcessApparmorProfile(config.ApparmorProfile)
 	g.SetProcessSelinuxLabel(config.ProcessLabel)
 	g.SetLinuxMountLabel(config.MountLabel)
@ -665,6 +665,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
 	}
 	options = append(options, libpod.WithPrivileged(c.Privileged))
 	options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
 	return options, nil
 }
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@ -240,6 +240,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 		capAdd:     capList,
 		pidFile:    filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
 		env:        env,
 		noNewPrivs: c.config.NoNewPrivs,
 		user:       user,
 		cwd:        c.config.Spec.Process.Cwd,
 		tty:        tty,
--- a/libpod/options.go
+++ b/libpod/options.go
@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption {
 	}
 }
 // WithNoNewPrivs sets the noNewPrivs flag in the container runtime
 func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
 	return func(ctr *Container) error {
 		if ctr.valid {
 			return ErrCtrFinalized
 		}
 		ctr.config.NoNewPrivs = noNewPrivs
 		return nil
 	}
 }
 // WithSELinuxLabels sets the mount label for SELinux
 func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
 	return func(ctr *Container) error {
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@ -1,6 +1,7 @@
 package integration
 import (
 	"fmt"
 	"os"
 	. "github.com/onsi/ginkgo"
@ -81,4 +82,26 @@ var _ = Describe("Podman privileged container tests", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
 	})
 	It("run no-new-privileges test", func() {
 		cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
 		cap.WaitWithDefaultTimeout()
 		if cap.ExitCode() != 0 {
 			fmt.Println("Can't determine NoNewPrivs")
 			return
 		}
 		session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 		privs := strings.Split(cap.OutputToString(), ":")
 		session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 		noprivs := strings.Split(cap.OutputToString(), ":")
 		Expect(privs[1]).To(Not(Equal(noprivs[1])))
 	})
 })