Save --privileged state

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #255 Approved by: mheon
2018-01-23 17:12:13 +01:00 · 2018-01-23 17:12:13 +01:00 · 50d4cd2868
parent 12e3d9d8a2
commit 50d4cd2868
4 changed files with 48 additions and 1 deletions
--- a/cmd/podman/inspect.go
+++ b/cmd/podman/inspect.go
@ -188,7 +188,7 @@ func getCtrInspectInfo(ctr *libpod.Container, ctrInspectData *libpod.ContainerIn
 			MemorySwappiness:     memSwappiness,
 			OomKillDisable:       memDisableOOMKiller,
 			PidsLimit:            pidsLimit,
-			Privileged:           spec.Process.NoNewPrivileges,
+			Privileged:           config.Privileged,
 			ReadonlyRootfs:       spec.Root.Readonly,
 			Runtime:              ctr.RuntimeName(),
 			NetworkMode:          string(createArtifact.NetMode),
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@ -608,6 +608,7 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er
 		options = append(options, libpod.WithHosts(c.HostAdd))
 	}

+	options = append(options, libpod.WithPrivileged(c.Privileged))
 	return options, nil
 }

--- a/libpod/options.go
+++ b/libpod/options.go
@ -268,6 +268,18 @@ func WithShmSize(size int64) CtrCreateOption {
 	}
 }

+// WithPrivileged sets the privileged flag in the container runtime
+func WithPrivileged(privileged bool) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return ErrCtrFinalized
+		}
+
+		ctr.config.Privileged = privileged
+		return nil
+	}
+}
+
 // WithSELinuxLabels sets the mount label for SELinux
 func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
 	return func(ctr *Container) error {
--- a/test/podman_run_security.bats
+++ b/test/podman_run_security.bats
@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+    cleanup_test
+}
+
+function setup() {
+    copy_images
+}
+
+@test "run privileged test" {
+    cap=$(grep CapEff /proc/self/status | cut -f2 -d":")
+
+    run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --privileged ${ALPINE}  grep CapEff /proc/self/status
+    echo $output
+    [ "$status" -eq 0 ]
+    containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+    [ $containercap = $cap ]
+
+    run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-add all ${ALPINE}  grep CapEff /proc/self/status
+    echo $output
+    [ "$status" -eq 0 ]
+    containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+    [ $containercap = $cap ]
+
+    cap=$(grep CapAmb /proc/self/status | cut -f2 -d":")
+    run ${PODMAN_BINARY} ${PODMAN_OPTIONS} run --cap-drop all ${ALPINE}  grep CapEff /proc/self/status
+    echo $output
+    [ "$status" -eq 0 ]
+    containercap=$(echo $output | tr -d '\r'| cut -f2 -d":")
+    [ $containercap = $cap ]
+}