Merge pull request #2649 from estesp/nonewpriv-flag

dmcgowan · web-flow · commit 9faeea1e5e78 · 2018-09-19T11:17:05.000-07:00
Add flag to ctr for running with "NoNewPrivileges: false"
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -124,6 +124,10 @@ var (
 			Name:  "gpus",
 			Usage: "add gpus to the container",
 		},
+		cli.BoolFlag{
+			Name:  "allow-new-privs",
+			Usage: "turn off OCI spec's NoNewPrivileges feature flag",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.IsSet("gpus") {
 			opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities))
 		}
+		if context.IsSet("allow-new-privs") {
+			opts = append(opts, oci.WithNewPrivileges)
+		}
 	}
 
 	cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label"))))
diff --git a/oci/spec_opts.go b/oci/spec_opts.go
@@ -268,6 +268,14 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts {
 	}
 }
 
+// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec
+func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+	setProcess(s)
+	s.Process.NoNewPrivileges = false
+
+	return nil
+}
+
 // WithImageConfig configures the spec to from the configuration of an Image
 func WithImageConfig(image Image) SpecOpts {
 	return WithImageConfigArgs(image, nil)

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ var (`
`124`	`124`	`Name: "gpus",`
`125`	`125`	`Usage: "add gpus to the container",`
`126`	`126`	`},`
	`127`	`+ cli.BoolFlag{`
	`128`	`+ Name: "allow-new-privs",`
	`129`	`+ Usage: "turn off OCI spec's NoNewPrivileges feature flag",`
	`130`	`+ },`
`127`	`131`	`}`
`128`	`132`	`)`
`129`	`133`
Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client containerd.Client, context cli`
`136`	`136`	`if context.IsSet("gpus") {`
`137`	`137`	`opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities))`
`138`	`138`	`}`
	`139`	`+ if context.IsSet("allow-new-privs") {`
	`140`	`+ opts = append(opts, oci.WithNewPrivileges)`
	`141`	`+ }`
`139`	`142`	`}`
`140`	`143`
`141`	`144`	`cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label"))))`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,14 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts {`
`268`	`268`	`}`
`269`	`269`	`}`
`270`	`270`
	`271`	`+// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec`
	`272`	`+func WithNewPrivileges(_ context.Context, _ Client, _ containers.Container, s Spec) error {`
	`273`	`+ setProcess(s)`
	`274`	`+ s.Process.NoNewPrivileges = false`
	`275`	`+`
	`276`	`+ return nil`
	`277`	`+}`
	`278`	`+`
`271`	`279`	`// WithImageConfig configures the spec to from the configuration of an Image`
`272`	`280`	`func WithImageConfig(image Image) SpecOpts {`
`273`	`281`	`return WithImageConfigArgs(image, nil)`