Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NoNewPrivileges setting for linux #290

Merged
merged 1 commit into from
Jan 20, 2016
Merged

Add NoNewPrivileges setting for linux #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions runtime-config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
```json
"rootfsPropagation": "slave",
```

## No new privileges

Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the default be true ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope

On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote:

In runtime-config-linux.md
#290 (comment):

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.

     "rootfsPropagation": "slave",

+## No new privileges
+
+Setting noNewPrivileges to true prevents the processes in the container from gaining additional privileges.

Should the default be true ?


Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328023.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not?

On Wed, Jan 20, 2016 at 2:14 PM, Vincent Batts notifications@github.com
wrote:

In runtime-config-linux.md
#290 (comment):

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.

     "rootfsPropagation": "slave",

+## No new privileges
+
+Setting noNewPrivileges to true prevents the processes in the container from gaining additional privileges.

nope
… <#1443586824_>
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote: In runtime-config-linux.md <#290 (comment)
https://github.com/opencontainers/specs/pull/290#discussion_r50328023>:

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared. >
json > "rootfsPropagation": "slave", > > + > +## No new privileges >


Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328465.

Copy link
Contributor

@wking wking Jan 20, 2016 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acknowledged.

[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

give the line item information on it here (that it's a bool and whether required)

###### Example

```json
"noNewPrivileges": true,
```
4 changes: 3 additions & 1 deletion runtime_config_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,10 @@ type LinuxRuntime struct {
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
// RootfsPropagation is the rootfs mount propagation mode for the container
// RootfsPropagation is the rootfs mount propagation mode for the container.
RootfsPropagation string `json:"rootfsPropagation,omitempty"`
// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
}

// Namespace is the configuration for a linux namespace
Expand Down