containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Podman no-new-privileges format 

In docker, the format of no-new-privileges is
"no-new-privileges:true". However, for Podman
all that's required is "no-new-privileges", leading to issues
when attempting to use features desgined for docker in podman.
Adding support for the ":" format to be used along with the "="
format, depedning on which one is entered by the user.

fixes #14133
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This commit is contained in:
Niall Crowe 2022-05-30 11:11:00 +01:00
parent a550af260a
commit 7e69e2b532
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/specgenutil/specgen.go
View File

@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
if opt == "no-new-privileges" {
s.ContainerSecurityConfig.NoNewPrivileges = true
} else {
con := strings.SplitN(opt, "=", 2)
// Docker deprecated the ":" syntax but still supports it,
// so we need to as well
var con []string
if strings.Contains(opt, "=") {
con = strings.SplitN(opt, "=", 2)
} else {
con = strings.SplitN(opt, ":", 2)
}
if len(con) != 2 {
return fmt.Errorf("invalid --security-opt 1: %q", opt)
}
@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
}
case "unmask":
s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
case "no-new-privileges":
noNewPrivileges, err := strconv.ParseBool(con[1])
if err != nil {
return fmt.Errorf("invalid --security-opt 2: %q", opt)
}
s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges
default:
return fmt.Errorf("invalid --security-opt 2: %q", opt)
}

11
test/system/030-run.bats
View File

@ -855,4 +855,15 @@ EOF
run_podman rmi $test_image
}
@test "podman create --security-opt" {
run_podman create --security-opt no-new-privileges=true $IMAGE
run_podman rm $output
run_podman create --security-opt no-new-privileges:true $IMAGE
run_podman rm $output
run_podman create --security-opt no-new-privileges=false $IMAGE
run_podman rm $output
run_podman create --security-opt no-new-privileges $IMAGE
run_podman rm $output
}
# vim: filetype=sh