Add no-new-privileges to SecurityOptions returned by /info

akerouanton · akerouanton · commit eb7738221c3b · 2023-04-18T09:34:08.000+02:00
Signed-off-by: Albin Kerouanton &lt;albinker@gmail.com&gt;
diff --git a/api/swagger.yaml b/api/swagger.yaml
@@ -5243,7 +5243,8 @@ definitions:
       SecurityOptions:
         description: |
           List of security features that are enabled on the daemon, such as
-          apparmor, seccomp, SELinux, user-namespaces (userns), and rootless.
+          apparmor, seccomp, SELinux, user-namespaces (userns), rootless and
+          no-new-privileges.
 
           Additional configuration options for each security feature may
           be present, and are included as a comma-separated list of key/value
diff --git a/daemon/info.go b/daemon/info.go
@@ -170,6 +170,9 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 	if daemon.cgroupNamespacesEnabled(sysInfo) {
 		securityOptions = append(securityOptions, "name=cgroupns")
 	}
+	if daemon.noNewPrivileges() {
+		securityOptions = append(securityOptions, "name=no-new-privileges")
+	}
 
 	v.SecurityOptions = securityOptions
 }
diff --git a/daemon/info_unix.go b/daemon/info_unix.go
@@ -366,3 +366,7 @@ func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
 func (daemon *Daemon) Rootless() bool {
 	return daemon.configStore.Rootless
 }
+
+func (daemon *Daemon) noNewPrivileges() bool {
+	return daemon.configStore.NoNewPrivileges
+}
diff --git a/daemon/info_windows.go b/daemon/info_windows.go
@@ -22,3 +22,7 @@ func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
 func (daemon *Daemon) Rootless() bool {
 	return false
 }
+
+func (daemon *Daemon) noNewPrivileges() bool {
+	return false
+}
diff --git a/docs/api/version-history.md b/docs/api/version-history.md
@@ -23,6 +23,9 @@ keywords: "API, Docker, rcli, REST, documentation"
 * `GET /images/json` no longer includes hardcoded `<none>:<none>` and
   `<none>@<none>` in `RepoTags` and`RepoDigests` for untagged images.
   In such cases, empty arrays will be produced instead.
+* `GET /info` now includes `no-new-privileges` in the `SecurityOptions` string
+  list when this option is enabled globally. This change is not versioned, and
+  affects all API versions if the daemon has this patch.
 
 ## v1.42 API changes
 

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,9 @@ func (daemon Daemon) fillSecurityOptions(v types.Info, sysInfo *sysinfo.SysInf`
`170`	`170`	`if daemon.cgroupNamespacesEnabled(sysInfo) {`
`171`	`171`	`securityOptions = append(securityOptions, "name=cgroupns")`
`172`	`172`	`}`
	`173`	`+ if daemon.noNewPrivileges() {`
	`174`	`+ securityOptions = append(securityOptions, "name=no-new-privileges")`
	`175`	`+ }`
`173`	`176`
`174`	`177`	`v.SecurityOptions = securityOptions`
`175`	`178`	`}`
Original file line number	Diff line number	Diff line change
`@@ -366,3 +366,7 @@ func (daemon Daemon) cgroupNamespacesEnabled(sysInfo sysinfo.SysInfo) bool {`
`366`	`366`	`func (daemon *Daemon) Rootless() bool {`
`367`	`367`	`return daemon.configStore.Rootless`
`368`	`368`	`}`
	`369`	`+`
	`370`	`+func (daemon *Daemon) noNewPrivileges() bool {`
	`371`	`+ return daemon.configStore.NoNewPrivileges`
	`372`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -22,3 +22,7 @@ func (daemon Daemon) cgroupNamespacesEnabled(sysInfo sysinfo.SysInfo) bool {`
`22`	`22`	`func (daemon *Daemon) Rootless() bool {`
`23`	`23`	`return false`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+func (daemon *Daemon) noNewPrivileges() bool {`
	`27`	`+ return false`
	`28`	`+}`