Add flag to ctr for running with NoNewPrivileges: false

estesp · estesp · commit c28ce39cea8e · 2018-09-14T11:03:58.000-04:00
Add flag and With-helper to set NoNewPrivileges to false since it is on
by default in the default UNIX spec for containerd, but off by default
in Docker and CRI plugin use. This allows for easy testing with it off
for comparison.

Signed-off-by: Phil Estes &lt;estesp@linux.vnet.ibm.com&gt;
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -124,6 +124,10 @@ var (
 			Name:  "gpus",
 			Usage: "add gpus to the container",
 		},
+		cli.BoolFlag{
+			Name:  "allow-new-privs",
+			Usage: "turn off OCI spec's NoNewPrivileges feature flag",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.IsSet("gpus") {
 			opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities))
 		}
+		if context.IsSet("allow-new-privs") {
+			opts = append(opts, oci.WithNewPrivileges)
+		}
 	}
 
 	cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label"))))
diff --git a/oci/spec_opts.go b/oci/spec_opts.go
@@ -268,6 +268,14 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts {
 	}
 }
 
+// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec
+func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+	setProcess(s)
+	s.Process.NoNewPrivileges = false
+
+	return nil
+}
+
 // WithImageConfig configures the spec to from the configuration of an Image
 func WithImageConfig(image Image) SpecOpts {
 	return WithImageConfigArgs(image, nil)

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ var (`
`124`	`124`	`Name: "gpus",`
`125`	`125`	`Usage: "add gpus to the container",`
`126`	`126`	`},`
	`127`	`+ cli.BoolFlag{`
	`128`	`+ Name: "allow-new-privs",`
	`129`	`+ Usage: "turn off OCI spec's NoNewPrivileges feature flag",`
	`130`	`+ },`
`127`	`131`	`}`
`128`	`132`	`)`
`129`	`133`
Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client containerd.Client, context cli`
`136`	`136`	`if context.IsSet("gpus") {`
`137`	`137`	`opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities))`
`138`	`138`	`}`
	`139`	`+ if context.IsSet("allow-new-privs") {`
	`140`	`+ opts = append(opts, oci.WithNewPrivileges)`
	`141`	`+ }`
`139`	`142`	`}`
`140`	`143`
`141`	`144`	`cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label"))))`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,14 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts {`
`268`	`268`	`}`
`269`	`269`	`}`
`270`	`270`
	`271`	`+// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec`
	`272`	`+func WithNewPrivileges(_ context.Context, _ Client, _ containers.Container, s Spec) error {`
	`273`	`+ setProcess(s)`
	`274`	`+ s.Process.NoNewPrivileges = false`
	`275`	`+`
	`276`	`+ return nil`
	`277`	`+}`
	`278`	`+`
`271`	`279`	`// WithImageConfig configures the spec to from the configuration of an Image`
`272`	`280`	`func WithImageConfig(image Image) SpecOpts {`
`273`	`281`	`return WithImageConfigArgs(image, nil)`