vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

container_create: honor no_new_privs

Browse source 
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-09-27 14:34:33 +02:00
parent be65303da0
commit 860bc7e21c
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
server/container_create.go
View file

@ -737,6 +737,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
specgen.SetProcessSelinuxLabel(processLabel) specgen.SetProcessSelinuxLabel(processLabel)
specgen.SetLinuxMountLabel(mountLabel) specgen.SetLinuxMountLabel(mountLabel)
specgen.SetProcessNoNewPrivileges(linux.GetSecurityContext().GetNoNewPrivs())
if containerConfig.GetLinux().GetSecurityContext() != nil && if containerConfig.GetLinux().GetSecurityContext() != nil &&
!containerConfig.GetLinux().GetSecurityContext().Privileged { !containerConfig.GetLinux().GetSecurityContext().Privileged {