container_create: set privileged on ctr only if also on sandbox

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 16:36:53 +02:00 · 2017-09-06 16:36:53 +02:00 · cde40ad5ca
commit cde40ad5ca
parent dacc5c3ece
1 changed files with 3 additions and 0 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -419,6 +419,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	var readOnlyRootfs bool
 	if containerConfig.GetLinux().GetSecurityContext() != nil {
 		if containerConfig.GetLinux().GetSecurityContext().Privileged {
+			if !sb.Privileged() {
+				return nil, fmt.Errorf("no privileged container allowed in sandbox")
+			}
 			specgen.SetupPrivileged(true)
 		}