Merge pull request containerd#2668 from estesp/cherry-pick-no-new-privs-flag

crosbymichael · web-flow · commit a9c2bd6d7578 · 2018-09-21T10:02:31.000-04:00
[release/1.1] Backport: Add flag to ctr for running with NoNewPrivileges: false
diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
@@ -124,6 +124,10 @@ var (
 			Name:  "gpus",
 			Usage: "add gpus to the container",
 		},
+		cli.BoolFlag{
+			Name:  "allow-new-privs",
+			Usage: "turn off OCI spec's NoNewPrivileges feature flag",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
@@ -113,6 +113,9 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 			Path: parts[1],
 		}))
 	}
+	if context.IsSet("allow-new-privs") {
+		opts = append(opts, oci.WithNewPrivileges)
+	}
 	if context.IsSet("config") {
 		var s specs.Spec
 		if err := loadSpec(context.String("config"), &s); err != nil {
diff --git a/oci/spec_opts_unix.go b/oci/spec_opts_unix.go
@@ -172,6 +172,14 @@ func WithNoNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s
 	return nil
 }
 
+// WithNewPrivileges turns off the NoNewPrivileges feature flag in the spec
+func WithNewPrivileges(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
+	setProcess(s)
+	s.Process.NoNewPrivileges = false
+
+	return nil
+}
+
 // WithHostHostsFile bind-mounts the host's /etc/hosts into the container as readonly
 func WithHostHostsFile(_ context.Context, _ Client, _ *containers.Container, s *specs.Spec) error {
 	s.Mounts = append(s.Mounts, specs.Mount{

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ var (`
`124`	`124`	`Name: "gpus",`
`125`	`125`	`Usage: "add gpus to the container",`
`126`	`126`	`},`
	`127`	`+ cli.BoolFlag{`
	`128`	`+ Name: "allow-new-privs",`
	`129`	`+ Usage: "turn off OCI spec's NoNewPrivileges feature flag",`
	`130`	`+ },`
`127`	`131`	`}`
`128`	`132`	`)`
`129`	`133`