container_create: honor no_new_privs

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-27 14:34:33 +02:00 · 2017-09-27 14:34:33 +02:00 · e41ba62b19
parent 91d9b4fc29
commit e41ba62b19
1 changed files with 1 additions and 0 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -770,6 +770,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		}
 		specgen.SetProcessSelinuxLabel(processLabel)
 		specgen.SetLinuxMountLabel(mountLabel)
+		specgen.SetProcessNoNewPrivileges(linux.GetSecurityContext().GetNoNewPrivs())

 		if containerConfig.GetLinux().GetSecurityContext() != nil &&
 			!containerConfig.GetLinux().GetSecurityContext().Privileged {