mirror of
https://github.com/containers/podman.git
synced 2025-06-19 00:06:43 +08:00
Remove No New Privs from DB as it's already in the spec
Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #383 Approved by: rhatdan
This commit is contained in:
Matthew Heon
@ -176,8 +176,6 @@ type ContainerConfig struct {
|
|||||||
// Security Config
|
// Security Config
|
||||||
// Whether the container is privileged
|
// Whether the container is privileged
|
||||||
Privileged bool `json:"privileged"`
|
Privileged bool `json:"privileged"`
|
||||||
// Whether to set the No New Privileges flag
|
|
||||||
NoNewPrivs bool `json:"noNewPrivs"`
|
|
||||||
// SELinux process label for container
|
// SELinux process label for container
|
||||||
ProcessLabel string `json:"ProcessLabel,omitempty"`
|
ProcessLabel string `json:"ProcessLabel,omitempty"`
|
||||||
// SELinux mount label for root filesystem
|
// SELinux mount label for root filesystem
|
||||||
|
|||||||
@ -106,11 +106,6 @@ func (j *ContainerConfig) MarshalJSONBuf(buf fflib.EncodingBuffer) error {
|
|||||||
} else {
|
} else {
|
||||||
buf.WriteString(`"privileged":false`)
|
buf.WriteString(`"privileged":false`)
|
||||||
}
|
}
|
||||||
if j.NoNewPrivs {
|
|
||||||
buf.WriteString(`,"noNewPrivs":true`)
|
|
||||||
} else {
|
|
||||||
buf.WriteString(`,"noNewPrivs":false`)
|
|
||||||
}
|
|
||||||
buf.WriteByte(',')
|
buf.WriteByte(',')
|
||||||
if len(j.ProcessLabel) != 0 {
|
if len(j.ProcessLabel) != 0 {
|
||||||
buf.WriteString(`"ProcessLabel":`)
|
buf.WriteString(`"ProcessLabel":`)
|
||||||
@ -343,8 +338,6 @@ const (
|
|||||||
|
|
||||||
ffjtContainerConfigPrivileged
|
ffjtContainerConfigPrivileged
|
||||||
|
|
||||||
ffjtContainerConfigNoNewPrivs
|
|
||||||
|
|
||||||
ffjtContainerConfigProcessLabel
|
ffjtContainerConfigProcessLabel
|
||||||
|
|
||||||
ffjtContainerConfigMountLabel
|
ffjtContainerConfigMountLabel
|
||||||
@ -416,8 +409,6 @@ var ffjKeyContainerConfigMounts = []byte("mounts")
|
|||||||
|
|
||||||
var ffjKeyContainerConfigPrivileged = []byte("privileged")
|
var ffjKeyContainerConfigPrivileged = []byte("privileged")
|
||||||
|
|
||||||
var ffjKeyContainerConfigNoNewPrivs = []byte("noNewPrivs")
|
|
||||||
|
|
||||||
var ffjKeyContainerConfigProcessLabel = []byte("ProcessLabel")
|
var ffjKeyContainerConfigProcessLabel = []byte("ProcessLabel")
|
||||||
|
|
||||||
var ffjKeyContainerConfigMountLabel = []byte("MountLabel")
|
var ffjKeyContainerConfigMountLabel = []byte("MountLabel")
|
||||||
@ -649,11 +640,6 @@ mainparse:
|
|||||||
state = fflib.FFParse_want_colon
|
state = fflib.FFParse_want_colon
|
||||||
goto mainparse
|
goto mainparse
|
||||||
|
|
||||||
} else if bytes.Equal(ffjKeyContainerConfigNoNewPrivs, kn) {
|
|
||||||
currentKey = ffjtContainerConfigNoNewPrivs
|
|
||||||
state = fflib.FFParse_want_colon
|
|
||||||
goto mainparse
|
|
||||||
|
|
||||||
} else if bytes.Equal(ffjKeyContainerConfigNetNsCtr, kn) {
|
} else if bytes.Equal(ffjKeyContainerConfigNetNsCtr, kn) {
|
||||||
currentKey = ffjtContainerConfigNetNsCtr
|
currentKey = ffjtContainerConfigNetNsCtr
|
||||||
state = fflib.FFParse_want_colon
|
state = fflib.FFParse_want_colon
|
||||||
@ -887,12 +873,6 @@ mainparse:
|
|||||||
goto mainparse
|
goto mainparse
|
||||||
}
|
}
|
||||||
|
|
||||||
if fflib.EqualFoldRight(ffjKeyContainerConfigNoNewPrivs, kn) {
|
|
||||||
currentKey = ffjtContainerConfigNoNewPrivs
|
|
||||||
state = fflib.FFParse_want_colon
|
|
||||||
goto mainparse
|
|
||||||
}
|
|
||||||
|
|
||||||
if fflib.SimpleLetterEqualFold(ffjKeyContainerConfigPrivileged, kn) {
|
if fflib.SimpleLetterEqualFold(ffjKeyContainerConfigPrivileged, kn) {
|
||||||
currentKey = ffjtContainerConfigPrivileged
|
currentKey = ffjtContainerConfigPrivileged
|
||||||
state = fflib.FFParse_want_colon
|
state = fflib.FFParse_want_colon
|
||||||
@ -1018,9 +998,6 @@ mainparse:
|
|||||||
case ffjtContainerConfigPrivileged:
|
case ffjtContainerConfigPrivileged:
|
||||||
goto handle_Privileged
|
goto handle_Privileged
|
||||||
|
|
||||||
case ffjtContainerConfigNoNewPrivs:
|
|
||||||
goto handle_NoNewPrivs
|
|
||||||
|
|
||||||
case ffjtContainerConfigProcessLabel:
|
case ffjtContainerConfigProcessLabel:
|
||||||
goto handle_ProcessLabel
|
goto handle_ProcessLabel
|
||||||
|
|
||||||
@ -1480,41 +1457,6 @@ handle_Privileged:
|
|||||||
state = fflib.FFParse_after_value
|
state = fflib.FFParse_after_value
|
||||||
goto mainparse
|
goto mainparse
|
||||||
|
|
||||||
handle_NoNewPrivs:
|
|
||||||
|
|
||||||
/* handler: j.NoNewPrivs type=bool kind=bool quoted=false*/
|
|
||||||
|
|
||||||
{
|
|
||||||
if tok != fflib.FFTok_bool && tok != fflib.FFTok_null {
|
|
||||||
return fs.WrapErr(fmt.Errorf("cannot unmarshal %s into Go value for bool", tok))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
|
||||||
if tok == fflib.FFTok_null {
|
|
||||||
|
|
||||||
} else {
|
|
||||||
tmpb := fs.Output.Bytes()
|
|
||||||
|
|
||||||
if bytes.Compare([]byte{'t', 'r', 'u', 'e'}, tmpb) == 0 {
|
|
||||||
|
|
||||||
j.NoNewPrivs = true
|
|
||||||
|
|
||||||
} else if bytes.Compare([]byte{'f', 'a', 'l', 's', 'e'}, tmpb) == 0 {
|
|
||||||
|
|
||||||
j.NoNewPrivs = false
|
|
||||||
|
|
||||||
} else {
|
|
||||||
err = errors.New("unexpected bytes for true/false value")
|
|
||||||
return fs.WrapErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
state = fflib.FFParse_after_value
|
|
||||||
goto mainparse
|
|
||||||
|
|
||||||
handle_ProcessLabel:
|
handle_ProcessLabel:
|
||||||
|
|
||||||
/* handler: j.ProcessLabel type=string kind=string quoted=false*/
|
/* handler: j.ProcessLabel type=string kind=string quoted=false*/
|
||||||
|
|||||||
@ -14,7 +14,7 @@ import (
|
|||||||
|
|
||||||
// DBSchema is the current DB schema version
|
// DBSchema is the current DB schema version
|
||||||
// Increments every time a change is made to the database's tables
|
// Increments every time a change is made to the database's tables
|
||||||
const DBSchema = 10
|
const DBSchema = 11
|
||||||
|
|
||||||
// SQLState is a state implementation backed by a persistent SQLite3 database
|
// SQLState is a state implementation backed by a persistent SQLite3 database
|
||||||
type SQLState struct {
|
type SQLState struct {
|
||||||
|
|||||||
@ -213,7 +213,6 @@ func prepareDB(db *sql.DB) (err error) {
|
|||||||
LogPath TEXT NOT NULL,
|
LogPath TEXT NOT NULL,
|
||||||
|
|
||||||
Privileged INTEGER NOT NULL,
|
Privileged INTEGER NOT NULL,
|
||||||
NoNewPrivs INTEGER NOT NULL,
|
|
||||||
ProcessLabel TEXT NOT NULL,
|
ProcessLabel TEXT NOT NULL,
|
||||||
MountLabel TEXT NOT NULL,
|
MountLabel TEXT NOT NULL,
|
||||||
User TEXT NOT NULL,
|
User TEXT NOT NULL,
|
||||||
@ -242,7 +241,6 @@ func prepareDB(db *sql.DB) (err error) {
|
|||||||
CHECK (ImageVolumes IN (0, 1)),
|
CHECK (ImageVolumes IN (0, 1)),
|
||||||
CHECK (SHMSize>=0),
|
CHECK (SHMSize>=0),
|
||||||
CHECK (Privileged IN (0, 1)),
|
CHECK (Privileged IN (0, 1)),
|
||||||
CHECK (NoNewPrivs IN (0, 1)),
|
|
||||||
CHECK (CreateNetNS IN (0, 1)),
|
CHECK (CreateNetNS IN (0, 1)),
|
||||||
CHECK (Stdin IN (0, 1)),
|
CHECK (Stdin IN (0, 1)),
|
||||||
CHECK (StopSignal>=0),
|
CHECK (StopSignal>=0),
|
||||||
@ -448,7 +446,6 @@ func (s *SQLState) ctrFromScannable(row scannable) (*Container, error) {
|
|||||||
logPath string
|
logPath string
|
||||||
|
|
||||||
privileged int
|
privileged int
|
||||||
noNewPrivs int
|
|
||||||
processLabel string
|
processLabel string
|
||||||
mountLabel string
|
mountLabel string
|
||||||
user string
|
user string
|
||||||
@ -503,7 +500,6 @@ func (s *SQLState) ctrFromScannable(row scannable) (*Container, error) {
|
|||||||
&logPath,
|
&logPath,
|
||||||
|
|
||||||
&privileged,
|
&privileged,
|
||||||
&noNewPrivs,
|
|
||||||
&processLabel,
|
&processLabel,
|
||||||
&mountLabel,
|
&mountLabel,
|
||||||
&user,
|
&user,
|
||||||
@ -566,7 +562,6 @@ func (s *SQLState) ctrFromScannable(row scannable) (*Container, error) {
|
|||||||
ctr.config.LogPath = logPath
|
ctr.config.LogPath = logPath
|
||||||
|
|
||||||
ctr.config.Privileged = boolFromSQL(privileged)
|
ctr.config.Privileged = boolFromSQL(privileged)
|
||||||
ctr.config.NoNewPrivs = boolFromSQL(noNewPrivs)
|
|
||||||
ctr.config.ProcessLabel = processLabel
|
ctr.config.ProcessLabel = processLabel
|
||||||
ctr.config.MountLabel = mountLabel
|
ctr.config.MountLabel = mountLabel
|
||||||
ctr.config.User = user
|
ctr.config.User = user
|
||||||
@ -753,7 +748,7 @@ func (s *SQLState) addContainer(ctr *Container, pod *Pod) (err error) {
|
|||||||
?, ?, ?, ?, ?,
|
?, ?, ?, ?, ?,
|
||||||
?, ?, ?, ?, ?,
|
?, ?, ?, ?, ?,
|
||||||
?, ?, ?, ?, ?,
|
?, ?, ?, ?, ?,
|
||||||
?, ?, ?, ?
|
?, ?, ?
|
||||||
);`
|
);`
|
||||||
addCtrState = `INSERT INTO containerState VALUES (
|
addCtrState = `INSERT INTO containerState VALUES (
|
||||||
?, ?, ?, ?, ?,
|
?, ?, ?, ?, ?,
|
||||||
@ -881,7 +876,6 @@ func (s *SQLState) addContainer(ctr *Container, pod *Pod) (err error) {
|
|||||||
ctr.config.LogPath,
|
ctr.config.LogPath,
|
||||||
|
|
||||||
boolToSQL(ctr.config.Privileged),
|
boolToSQL(ctr.config.Privileged),
|
||||||
boolToSQL(ctr.config.NoNewPrivs),
|
|
||||||
ctr.config.ProcessLabel,
|
ctr.config.ProcessLabel,
|
||||||
ctr.config.MountLabel,
|
ctr.config.MountLabel,
|
||||||
ctr.config.User,
|
ctr.config.User,
|
||||||
|
|||||||
@ -106,6 +106,11 @@ func testContainersEqual(t *testing.T, a, b *Container) {
|
|||||||
assert.NotNil(t, a)
|
assert.NotNil(t, a)
|
||||||
assert.NotNil(t, b)
|
assert.NotNil(t, b)
|
||||||
|
|
||||||
|
assert.NotNil(t, a.config)
|
||||||
|
assert.NotNil(t, b.config)
|
||||||
|
assert.NotNil(t, a.state)
|
||||||
|
assert.NotNil(t, b.state)
|
||||||
|
|
||||||
aConfig := new(ContainerConfig)
|
aConfig := new(ContainerConfig)
|
||||||
bConfig := new(ContainerConfig)
|
bConfig := new(ContainerConfig)
|
||||||
aState := new(containerState)
|
aState := new(containerState)
|
||||||
|
|||||||
Reference in New Issue
Block a user