Merge pull request #14415 from nicrowe00/14133

no-new-privileges format
2024-10-19 08:44:11 +00:00 · 2022-05-31 05:07:28 -04:00 · 2022-05-31 05:07:28 -04:00 · ccc087a30e
parent a550af260a 7e69e2b532
commit ccc087a30e
2 changed files with 25 additions and 1 deletions
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		if opt == "no-new-privileges" {
 			s.ContainerSecurityConfig.NoNewPrivileges = true
 		} else {
-			con := strings.SplitN(opt, "=", 2)
+			// Docker deprecated the ":" syntax but still supports it,
+			// so we need to as well
+			var con []string
+			if strings.Contains(opt, "=") {
+				con = strings.SplitN(opt, "=", 2)
+			} else {
+				con = strings.SplitN(opt, ":", 2)
+			}
 			if len(con) != 2 {
 				return fmt.Errorf("invalid --security-opt 1: %q", opt)
 			}
@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 				}
 			case "unmask":
 				s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
+			case "no-new-privileges":
+				noNewPrivileges, err := strconv.ParseBool(con[1])
+				if err != nil {
+					return fmt.Errorf("invalid --security-opt 2: %q", opt)
+				}
+				s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges
 			default:
 				return fmt.Errorf("invalid --security-opt 2: %q", opt)
 			}
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -855,4 +855,15 @@ EOF
    run_podman rmi $test_image
 }

+@test "podman create --security-opt" {
+    run_podman create --security-opt no-new-privileges=true $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges:true $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges=false $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges $IMAGE
+    run_podman rm $output
+}
+
 # vim: filetype=sh