Merge pull request #1 from google/master

catch up
author: kevin.xu <cming.xu@gmail.com> 2020-04-27 21:51:31 +0800
committer: GitHub <noreply@github.com> 2020-04-27 21:51:31 +0800
commit: e896ca54db67524afc20b644d43c72185e72dc0e (patch)
tree: 2a16f3a62a5cafd098f1f028c621f1b655589d69 /runsc/specutils/specutils.go
parent: 1f19624fa127d7d59cabe29593cc80b7fe6c81f8 (diff)
parent: 3c67754663f424f2ebbc0ff2a4c80e30618d5355 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index d3c2e4e78..837d5e238 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -92,6 +92,12 @@ func ValidateSpec(spec *specs.Spec) error {
 		log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
 	}
 
+	// PR_SET_NO_NEW_PRIVS is assumed to always be set.
+	// See kernel.Task.updateCredsForExecLocked.
+	if !spec.Process.NoNewPrivileges {
+		log.Warningf("noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.")
+	}
+
 	// TODO(gvisor.dev/issue/510): Apply seccomp to application inside sandbox.
 	if spec.Linux != nil && spec.Linux.Seccomp != nil {
 		log.Warningf("Seccomp spec is being ignored")
@@ -528,3 +534,8 @@ func EnvVar(env []string, name string) (string, bool) {
 	}
 	return "", false
 }
+
+// FaqErrorMsg returns an error message pointing to the FAQ.
+func FaqErrorMsg(anchor, msg string) string {
+	return fmt.Sprintf("%s; see https://gvisor.dev/faq#%s for more details", msg, anchor)
+}
author	kevin.xu <cming.xu@gmail.com>	2020-04-27 21:51:31 +0800
committer	GitHub <noreply@github.com>	2020-04-27 21:51:31 +0800
commit	e896ca54db67524afc20b644d43c72185e72dc0e (patch)
tree	2a16f3a62a5cafd098f1f028c621f1b655589d69 /runsc/specutils/specutils.go
parent	1f19624fa127d7d59cabe29593cc80b7fe6c81f8 (diff)
parent	3c67754663f424f2ebbc0ff2a4c80e30618d5355 (diff)