Merge pull request #155 from miaoyq/support-nonewprivileges

Support NoNewPrivileges

hack/test-e2e-node.sh

@@ -22,7 +22,6 @@ DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
 DEFAULT_SKIP+="|runAsUser"
 DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
 DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
-DEFAULT_SKIP+="|AllowPrivilegeEscalation"
 DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
 DEFAULT_SKIP+="|querying\s\/stats\/summary"
 DEFAULT_SKIP+="|set\sto\sthe\smanifest\sdigest"

pkg/server/container_create.go

@@ -244,6 +244,9 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 		// TODO(random-liu): [P1] Set selinux options.
 
 		// TODO(random-liu): [P2] Add apparmor and seccomp.
+
+		// TODO: Figure out whether we should set no new privilege for sandbox container by default
+		g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
 	}
 
 	g.SetRootReadonly(securityContext.GetReadonlyRootfs())

pkg/server/container_create_test.go

@@ -90,6 +90,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 					DropCapabilities: []string{"CHOWN"},
 				},
 				SupplementalGroups: []int64{1111, 2222},
+				NoNewPrivs:         true,
 			},
 		},
 	}
@@ -146,6 +147,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
 
+		t.Logf("Check no_new_privs")
+		assert.Equal(t, spec.Process.NoNewPrivileges, true)
+
 		t.Logf("Check cgroup path")
 		assert.Equal(t, getCgroupsPath("/test/cgroup/parent", id), spec.Linux.CgroupsPath)