summaryrefslogtreecommitdiffhomepage
path: root/runsc/specutils
diff options
context:
space:
mode:
authorIan Lewis <ianlewis@google.com>2020-04-10 20:31:07 -0700
committergVisor bot <gvisor-bot@google.com>2020-04-10 20:32:23 -0700
commitdaf3322498b698518a3c8545ad05f790deb3848c (patch)
tree9c284900bf1353fd873f923ea06faa4a1f414027 /runsc/specutils
parent09ddb5a4262c39744643b612109dd12dcce176a8 (diff)
Add logging message for noNewPrivileges OCI option.
noNewPrivileges is ignored if set to false since gVisor assumes that PR_SET_NO_NEW_PRIVS is always enabled. PiperOrigin-RevId: 305991947
Diffstat (limited to 'runsc/specutils')
-rw-r--r--runsc/specutils/specutils.go6
1 files changed, 6 insertions, 0 deletions
diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index 0f4a9cf6d..837d5e238 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -92,6 +92,12 @@ func ValidateSpec(spec *specs.Spec) error {
log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
}
+ // PR_SET_NO_NEW_PRIVS is assumed to always be set.
+ // See kernel.Task.updateCredsForExecLocked.
+ if !spec.Process.NoNewPrivileges {
+ log.Warningf("noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.")
+ }
+
// TODO(gvisor.dev/issue/510): Apply seccomp to application inside sandbox.
if spec.Linux != nil && spec.Linux.Seccomp != nil {
log.Warningf("Seccomp spec is being ignored")