Add support for --no-new-privs

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #369
Approved by: rhatdan

cmd/podman/create.go

@@ -128,7 +128,7 @@ type createConfig struct {
 	WorkDir            string            //workdir
 	MountLabel         string            //SecurityOpts
 	ProcessLabel       string            //SecurityOpts
-	NoNewPrivileges    bool              //SecurityOpts
+	NoNewPrivs         bool              //SecurityOpts
 	ApparmorProfile    string            //SecurityOpts
 	SeccompProfilePath string            //SecurityOpts
 	SecurityOpts       []string
@@ -252,7 +252,7 @@ func parseSecurityOpt(config *createConfig, securityOpts []string) error {
 
 	for _, opt := range securityOpts {
 		if opt == "no-new-privileges" {
-			config.NoNewPrivileges = true
+			config.NoNewPrivs = true
 		} else {
 			con := strings.SplitN(opt, "=", 2)
 			if len(con) != 2 {

cmd/podman/spec.go

@@ -259,7 +259,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	}
 
 	// SECURITY OPTS
-	g.SetProcessNoNewPrivileges(config.NoNewPrivileges)
+	g.SetProcessNoNewPrivileges(config.NoNewPrivs)
 	g.SetProcessApparmorProfile(config.ApparmorProfile)
 	g.SetProcessSelinuxLabel(config.ProcessLabel)
 	g.SetLinuxMountLabel(config.MountLabel)
@@ -665,6 +665,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
 	}
 
 	options = append(options, libpod.WithPrivileged(c.Privileged))
+	options = append(options, libpod.WithNoNewPrivs(c.NoNewPrivs))
 	return options, nil
 }
 

libpod/container_api.go

@@ -237,12 +237,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 		log: c.LogPath(),
 	}
 	execOpts := runcExecOptions{
-		capAdd:  capList,
-		pidFile: filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
-		env:     env,
-		user:    user,
-		cwd:     c.config.Spec.Process.Cwd,
-		tty:     tty,
+		capAdd:     capList,
+		pidFile:    filepath.Join(c.state.RunDir, fmt.Sprintf("%s-execpid", stringid.GenerateNonCryptoID()[:12])),
+		env:        env,
+		noNewPrivs: c.config.NoNewPrivs,
+		user:       user,
+		cwd:        c.config.Spec.Process.Cwd,
+		tty:        tty,
 	}
 
 	return c.runtime.ociRuntime.execContainer(c, cmd, globalOpts, execOpts)

libpod/options.go

@@ -272,6 +272,18 @@ func WithPrivileged(privileged bool) CtrCreateOption {
 	}
 }
 
+// WithNoNewPrivs sets the noNewPrivs flag in the container runtime
+func WithNoNewPrivs(noNewPrivs bool) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return ErrCtrFinalized
+		}
+
+		ctr.config.NoNewPrivs = noNewPrivs
+		return nil
+	}
+}
+
 // WithSELinuxLabels sets the mount label for SELinux
 func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
 	return func(ctr *Container) error {

test/e2e/run_privileged_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"fmt"
 	"os"
 
 	. "github.com/onsi/ginkgo"
@@ -81,4 +82,26 @@ var _ = Describe("Podman privileged container tests", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
 	})
+
+	It("run no-new-privileges test", func() {
+		cap := podmanTest.SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
+		cap.WaitWithDefaultTimeout()
+		if cap.ExitCode() != 0 {
+			fmt.Println("Can't determine NoNewPrivs")
+			return
+		}
+
+		session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		privs := strings.Split(cap.OutputToString(), ":")
+
+		session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		noprivs := strings.Split(cap.OutputToString(), ":")
+
+		Expect(privs[1]).To(Not(Equal(noprivs[1])))
+	})
+
 })