diff options
Diffstat (limited to 'runsc/boot')
-rw-r--r-- | runsc/boot/config.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 8564c502d..6112b6c0a 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -226,6 +226,12 @@ type Config struct { // to the same underlying network device. This allows netstack to better // scale for high throughput use cases. NumNetworkChannels int + + // Rootless allows the sandbox to be started with a user that is not root. + // Defense is depth measures are weaker with rootless. Specifically, the + // sandbox and Gofer process run as root inside a user namespace with root + // mapped to the caller's user. + Rootless bool } // ToFlags returns a slice of flags that correspond to the given Config. @@ -250,6 +256,7 @@ func (c *Config) ToFlags() []string { "--profile=" + strconv.FormatBool(c.ProfileEnable), "--net-raw=" + strconv.FormatBool(c.EnableRaw), "--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels), + "--rootless=" + strconv.FormatBool(c.Rootless), } if c.TestOnlyAllowRunAsCurrentUserWithoutChroot { // Only include if set since it is never to be used by users. |