From c28ce39cea8e8dc8d7ff13c0fa0f7ca6217c2dab Mon Sep 17 00:00:00 2001 From: Phil Estes Date: Fri, 14 Sep 2018 11:03:58 -0400 Subject: [PATCH] Add flag to ctr for running with NoNewPrivileges: false Add flag and With-helper to set NoNewPrivileges to false since it is on by default in the default UNIX spec for containerd, but off by default in Docker and CRI plugin use. This allows for easy testing with it off for comparison. Signed-off-by: Phil Estes --- cmd/ctr/commands/commands.go | 4 ++++ cmd/ctr/commands/run/run_unix.go | 3 +++ oci/spec_opts.go | 8 ++++++++ 3 files changed, 15 insertions(+) diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go index 527516094..cba982454 100644 --- a/cmd/ctr/commands/commands.go +++ b/cmd/ctr/commands/commands.go @@ -124,6 +124,10 @@ var ( Name: "gpus", Usage: "add gpus to the container", }, + cli.BoolFlag{ + Name: "allow-new-privs", + Usage: "turn off OCI spec's NoNewPrivileges feature flag", + }, } ) diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go index d82b0e648..a6d61bf5d 100644 --- a/cmd/ctr/commands/run/run_unix.go +++ b/cmd/ctr/commands/run/run_unix.go @@ -136,6 +136,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli if context.IsSet("gpus") { opts = append(opts, nvidia.WithGPUs(nvidia.WithDevices(context.Int("gpus")), nvidia.WithAllCapabilities)) } + if context.IsSet("allow-new-privs") { + opts = append(opts, oci.WithNewPrivileges) + } } cOpts = append(cOpts, containerd.WithContainerLabels(commands.LabelArgs(context.StringSlice("label")))) diff --git a/oci/spec_opts.go b/oci/spec_opts.go index d7fe4a29f..f915080b7 100644 --- a/oci/spec_opts.go +++ b/oci/spec_opts.go @@ -268,6 +268,14 @@ func WithLinuxNamespace(ns specs.LinuxNamespace) SpecOpts { } } +// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec +func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { + setProcess(s) + s.Process.NoNewPrivileges = false + + return nil +} + // WithImageConfig configures the spec to from the configuration of an Image func WithImageConfig(image Image) SpecOpts { return WithImageConfigArgs(image, nil)