From 5f327ba339b7b1927f7282c749c8d2927c69685c Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 4 Jan 2016 18:36:24 -0500 Subject: [PATCH] Add NoNewPrivileges setting for linux This is a security setting that could be used to prevent processes in the container from gaining additional privileges. Signed-off-by: Mrunal Patel --- runtime-config-linux.md | 11 +++++++++++ runtime_config_linux.go | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/runtime-config-linux.md b/runtime-config-linux.md index 34b291caa..85aefc786 100644 --- a/runtime-config-linux.md +++ b/runtime-config-linux.md @@ -503,3 +503,14 @@ Its value is either slave, private, or shared. ```json "rootfsPropagation": "slave", ``` + +## No new privileges + +Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges. +[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call. + +###### Example + +```json + "noNewPrivileges": true, +``` diff --git a/runtime_config_linux.go b/runtime_config_linux.go index d01cc7bc3..dfe6e2516 100644 --- a/runtime_config_linux.go +++ b/runtime_config_linux.go @@ -39,8 +39,10 @@ type LinuxRuntime struct { SelinuxProcessLabel string `json:"selinuxProcessLabel"` // Seccomp specifies the seccomp security settings for the container. Seccomp Seccomp `json:"seccomp"` - // RootfsPropagation is the rootfs mount propagation mode for the container + // RootfsPropagation is the rootfs mount propagation mode for the container. RootfsPropagation string `json:"rootfsPropagation,omitempty"` + // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. + NoNewPrivileges bool `json:"noNewPrivileges,omitempty"` } // Namespace is the configuration for a linux namespace