Add logging message for noNewPrivileges OCI option.
noNewPrivileges is ignored if set to false since gVisor assumes that PR_SET_NO_NEW_PRIVS is always enabled. PiperOrigin-RevId: 305991947
This commit is contained in:
parent
09ddb5a426
commit
daf3322498
|
@ -455,7 +455,7 @@ func (t *Task) SetKeepCaps(k bool) {
|
|||
t.creds.Store(creds)
|
||||
}
|
||||
|
||||
// updateCredsForExec updates t.creds to reflect an execve().
|
||||
// updateCredsForExecLocked updates t.creds to reflect an execve().
|
||||
//
|
||||
// NOTE(b/30815691): We currently do not implement privileged executables
|
||||
// (set-user/group-ID bits and file capabilities). This allows us to make a lot
|
||||
|
|
|
@ -161,8 +161,8 @@ func Prctl(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
|
|||
if args[1].Int() != 1 || args[2].Int() != 0 || args[3].Int() != 0 || args[4].Int() != 0 {
|
||||
return 0, nil, syserror.EINVAL
|
||||
}
|
||||
// no_new_privs is assumed to always be set. See
|
||||
// kernel.Task.updateCredsForExec.
|
||||
// PR_SET_NO_NEW_PRIVS is assumed to always be set.
|
||||
// See kernel.Task.updateCredsForExecLocked.
|
||||
return 0, nil, nil
|
||||
|
||||
case linux.PR_GET_NO_NEW_PRIVS:
|
||||
|
|
|
@ -92,6 +92,12 @@ func ValidateSpec(spec *specs.Spec) error {
|
|||
log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
|
||||
}
|
||||
|
||||
// PR_SET_NO_NEW_PRIVS is assumed to always be set.
|
||||
// See kernel.Task.updateCredsForExecLocked.
|
||||
if !spec.Process.NoNewPrivileges {
|
||||
log.Warningf("noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.")
|
||||
}
|
||||
|
||||
// TODO(gvisor.dev/issue/510): Apply seccomp to application inside sandbox.
|
||||
if spec.Linux != nil && spec.Linux.Seccomp != nil {
|
||||
log.Warningf("Seccomp spec is being ignored")
|
||||
|
|
Loading…
Reference in New Issue