mirror of
https://github.com/containers/podman
synced 2024-10-19 08:44:11 +00:00
Merge pull request #14415 from nicrowe00/14133
no-new-privileges format
This commit is contained in:
commit
ccc087a30e
|
@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
|
|||
if opt == "no-new-privileges" {
|
||||
s.ContainerSecurityConfig.NoNewPrivileges = true
|
||||
} else {
|
||||
con := strings.SplitN(opt, "=", 2)
|
||||
// Docker deprecated the ":" syntax but still supports it,
|
||||
// so we need to as well
|
||||
var con []string
|
||||
if strings.Contains(opt, "=") {
|
||||
con = strings.SplitN(opt, "=", 2)
|
||||
} else {
|
||||
con = strings.SplitN(opt, ":", 2)
|
||||
}
|
||||
if len(con) != 2 {
|
||||
return fmt.Errorf("invalid --security-opt 1: %q", opt)
|
||||
}
|
||||
|
@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
|
|||
}
|
||||
case "unmask":
|
||||
s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
|
||||
case "no-new-privileges":
|
||||
noNewPrivileges, err := strconv.ParseBool(con[1])
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid --security-opt 2: %q", opt)
|
||||
}
|
||||
s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges
|
||||
default:
|
||||
return fmt.Errorf("invalid --security-opt 2: %q", opt)
|
||||
}
|
||||
|
|
|
@ -855,4 +855,15 @@ EOF
|
|||
run_podman rmi $test_image
|
||||
}
|
||||
|
||||
@test "podman create --security-opt" {
|
||||
run_podman create --security-opt no-new-privileges=true $IMAGE
|
||||
run_podman rm $output
|
||||
run_podman create --security-opt no-new-privileges:true $IMAGE
|
||||
run_podman rm $output
|
||||
run_podman create --security-opt no-new-privileges=false $IMAGE
|
||||
run_podman rm $output
|
||||
run_podman create --security-opt no-new-privileges $IMAGE
|
||||
run_podman rm $output
|
||||
}
|
||||
|
||||
# vim: filetype=sh
|
||||
|
|
Loading…
Reference in a new issue