Created
February 26, 2021 16:25
-
-
Save dongsupark/9c910bbe6edbfaf73f93f9421329b2fe to your computer and use it in GitHub Desktop.
hack to make runc work with --no-new-privilges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001 | |
Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614356653.git.dongsu@kinvolk.io> | |
From: Dongsu Park <dongsu@kinvolk.io> | |
Date: Fri, 26 Feb 2021 15:51:04 +0100 | |
Subject: [PATCH] libcontainer: disable prctl with NoNewPrivilges | |
To make runc work with --security-opt=no-new-privilges | |
--- | |
libcontainer/standard_init_linux.go | 13 ------------- | |
1 file changed, 13 deletions(-) | |
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go | |
index 7ec506c4..fc4121a9 100644 | |
--- a/libcontainer/standard_init_linux.go | |
+++ b/libcontainer/standard_init_linux.go | |
@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error { | |
if err != nil { | |
return errors.Wrap(err, "get pdeath signal") | |
} | |
- if l.config.NoNewPrivileges { | |
- if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { | |
- return errors.Wrap(err, "set nonewprivileges") | |
- } | |
- } | |
// Tell our parent that we're ready to Execv. This must be done before the | |
// Seccomp rules have been applied, because we need to be able to read and | |
// write to a socket. | |
@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error { | |
// since been resolved. | |
// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 | |
unix.Close(l.fifoFd) | |
- // Set seccomp as close to execve as possible, so as few syscalls take | |
- // place afterward (reducing the amount of syscalls that users need to | |
- // enable in their seccomp profiles). | |
- if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges { | |
- if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil { | |
- return newSystemErrorWithCause(err, "init seccomp") | |
- } | |
- } | |
s := l.config.SpecState | |
s.Pid = unix.Getpid() | |
-- | |
2.29.2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment