Merge pull request #2649 from estesp/nonewpriv-flag

Add flag to ctr for running with "NoNewPrivileges: false"

cmd/ctr/commands/commands.go

@@ -124,6 +124,10 @@ var (
 			Name:  "gpus",
 			Usage: "add gpus to the container",
 		},
+		cli.BoolFlag{
+			Name:  "allow-new-privs",
+			Usage: "turn off OCI spec's NoNewPrivileges feature flag",
+		},
 	}
 )
 

cmd/ctr/commands/run/run_unix.go

@@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.IsSet("gpus") {
 			opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities))
 		}
+		if context.IsSet("allow-new-privs") {
+			opts = append(opts, oci.WithNewPrivileges)
+		}
 	}
 
 	cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label"))))