Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support --no-privs in --oci mode #1477

Closed
Tracked by #1467
dtrudg opened this issue Mar 24, 2023 · 0 comments · Fixed by #1800
Closed
Tracked by #1467

Support --no-privs in --oci mode #1477

dtrudg opened this issue Mar 24, 2023 · 0 comments · Fixed by #1800
Assignees
@dtrudg

Comments

@dtrudg
Copy link
Member

dtrudg commented Mar 24, 2023
edited
Loading

If --no-privs is specified on the command line, then the container process should have an empty capability set, and NoNewPrivs should be set.

Since there are some capabilities set (bounding) on non-root users in --oci mode, then this flag will apply to all cases... not just when run by root (as in native mode).
@dtrudg dtrudg mentioned this issue Mar 24, 2023
Closed
19 tasks
@dtrudg dtrudg self-assigned this Jun 21, 2023
dtrudg added a commit to dtrudg/singularity that referenced this issue Jun 21, 2023
@dtrudg
oci: Support --no-privs
a801da5 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs#1477
@dtrudg dtrudg mentioned this issue Jun 21, 2023
Merged
dtrudg added a commit to dtrudg/singularity that referenced this issue Jun 21, 2023
@dtrudg
oci: Support --no-privs
faea0b4 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs#1477
edytuk pushed a commit to vzokay/apptainer that referenced this issue Jul 12, 2023
@dtrudg @edytuk
oci: Support --no-privs
bb78264 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs/singularity#1477

Signed-off-by: Edita Kizinevic <[email protected]>
edytuk pushed a commit to vzokay/apptainer that referenced this issue Jul 21, 2023
@dtrudg @edytuk
oci: Support --no-privs
ef603ee 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs/singularity#1477

Signed-off-by: Edita Kizinevic <[email protected]>
edytuk pushed a commit to vzokay/apptainer that referenced this issue Jul 24, 2023
@dtrudg @edytuk
oci: Support --no-privs
d8da37d 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs/singularity#1477

Signed-off-by: Edita Kizinevic <[email protected]>
edytuk pushed a commit to vzokay/apptainer that referenced this issue Jul 24, 2023
@dtrudg @edytuk
oci: Support --no-privs
e8754ae 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs/singularity#1477

Signed-off-by: Edita Kizinevic <[email protected]>
edytuk pushed a commit to vzokay/apptainer that referenced this issue Jul 24, 2023
@dtrudg @edytuk
oci: Support --no-privs
931dd47 
When `--no-privs` is set on the command line:

* The container process capability set should be empty.
* NoNewPrivileges should be enabled for the container process.

Fixes sylabs/singularity#1477

Signed-off-by: Edita Kizinevic <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dtrudg dtrudg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oci: Support --no-privs dtrudg/singularity
1 participant
@dtrudg