vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

container_create: honor no_new_privs

Browse source 
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-09-27 14:34:33 +02:00
parent 91d9b4fc29
commit e41ba62b19
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
server/container_create.go
View file

@ -770,6 +770,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
specgen.SetProcessSelinuxLabel(processLabel) specgen.SetProcessSelinuxLabel(processLabel)
specgen.SetLinuxMountLabel(mountLabel) specgen.SetLinuxMountLabel(mountLabel)
specgen.SetProcessNoNewPrivileges(linux.GetSecurityContext().GetNoNewPrivs())
if containerConfig.GetLinux().GetSecurityContext() != nil && if containerConfig.GetLinux().GetSecurityContext() != nil &&
!containerConfig.GetLinux().GetSecurityContext().Privileged { !containerConfig.GetLinux().GetSecurityContext().Privileged {