From d19ea6a60de8fbe11e38c5a9fefbdbc799d1dd40 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Fri, 2 Dec 2022 16:22:29 +0100 Subject: [PATCH] quadlet: Change NoNewPrivileges default to false This matches the default of podman run. Signed-off-by: Alexander Larsson --- docs/source/markdown/podman-systemd.unit.5.md | 2 +- pkg/systemd/quadlet/quadlet.go | 2 +- test/e2e/quadlet/basic.container | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 4f2b1a518c..3bad70bdc5 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -109,7 +109,7 @@ which can be modified with `RemapUsers`, but if that is not specified, this uid The (numeric) gid to run as inside the container. This does not need to match the gid on the host, which can be modified with `RemapUsers`, but if that is not specified, this gid is also used on the host. -#### `NoNewPrivileges=` (defaults to `yes`) +#### `NoNewPrivileges=` (defaults to `no`) If enabled (which is the default), this disables the container processes from gaining additional privileges via things like setuid and file capabilities. diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 32f11db73c..840cb8c4a0 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -297,7 +297,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile } // Default to no higher level privileges or caps - noNewPrivileges := container.LookupBoolean(ContainerGroup, KeyNoNewPrivileges, true) + noNewPrivileges := container.LookupBoolean(ContainerGroup, KeyNoNewPrivileges, false) if noNewPrivileges { podman.add("--security-opt=no-new-privileges") } diff --git a/test/e2e/quadlet/basic.container b/test/e2e/quadlet/basic.container index 8369f75aa9..9929e6ec41 100644 --- a/test/e2e/quadlet/basic.container +++ b/test/e2e/quadlet/basic.container @@ -10,7 +10,6 @@ ## assert-podman-args "--runtime" "/usr/bin/crun" ## assert-podman-args "--cgroups=split" ## assert-podman-args "--sdnotify=conmon" -## assert-podman-args "--security-opt=no-new-privileges" ## assert-podman-args "--cap-drop=all" ## assert-podman-args "--read-only" ## !assert-podman-args "--read-only-tmpfs=false"