Podman no-new-privileges format

In docker, the format of no-new-privileges is "no-new-privileges:true". However, for Podman all that's required is "no-new-privileges", leading to issues when attempting to use features desgined for docker in podman. Adding support for the ":" format to be used along with the "=" format, depedning on which one is entered by the user. fixes containers#14133 Signed-off-by: Niall Crowe <[email protected]>
mheon · Jun 14, 2022 · 5b62524 · 5b62524
1 parent 8612fac
commit 5b62524
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
@@ -622,7 +622,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		if opt == "no-new-privileges" {
 			s.ContainerSecurityConfig.NoNewPrivileges = true
 		} else {
-			con := strings.SplitN(opt, "=", 2)
+			// Docker deprecated the ":" syntax but still supports it,
+			// so we need to as well
+			var con []string
+			if strings.Contains(opt, "=") {
+				con = strings.SplitN(opt, "=", 2)
+			} else {
+				con = strings.SplitN(opt, ":", 2)
+			}
 			if len(con) != 2 {
 				return fmt.Errorf("invalid --security-opt 1: %q", opt)
 			}
@@ -650,6 +657,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 				}
 			case "unmask":
 				s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
+			case "no-new-privileges":
+				noNewPrivileges, err := strconv.ParseBool(con[1])
+				if err != nil {
+					return fmt.Errorf("invalid --security-opt 2: %q", opt)
+				}
+				s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges
 			default:
 				return fmt.Errorf("invalid --security-opt 2: %q", opt)
 			}

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
@@ -855,4 +855,15 @@ EOF
     run_podman rmi $test_image
 }
 
+@test "podman create --security-opt" {
+    run_podman create --security-opt no-new-privileges=true $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges:true $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges=false $IMAGE
+    run_podman rm $output
+    run_podman create --security-opt no-new-privileges $IMAGE
+    run_podman rm $output
+}
+
 # vim: filetype=sh