From daf3322498b698518a3c8545ad05f790deb3848c Mon Sep 17 00:00:00 2001
From: Ian Lewis <ianlewis@google.com>
Date: Fri, 10 Apr 2020 20:31:07 -0700
Subject: Add logging message for noNewPrivileges OCI option.

noNewPrivileges is ignored if set to false since gVisor assumes that
PR_SET_NO_NEW_PRIVS is always enabled.

PiperOrigin-RevId: 305991947
---
 runsc/specutils/specutils.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'runsc/specutils')

diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index 0f4a9cf6d..837d5e238 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -92,6 +92,12 @@ func ValidateSpec(spec *specs.Spec) error {
 		log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
 	}
 
+	// PR_SET_NO_NEW_PRIVS is assumed to always be set.
+	// See kernel.Task.updateCredsForExecLocked.
+	if !spec.Process.NoNewPrivileges {
+		log.Warningf("noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.")
+	}
+
 	// TODO(gvisor.dev/issue/510): Apply seccomp to application inside sandbox.
 	if spec.Linux != nil && spec.Linux.Seccomp != nil {
 		log.Warningf("Seccomp spec is being ignored")
-- 
cgit v1.2.3