Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NoNewPrivileges support in docker #20329

Closed
mrunalp opened this issue Feb 15, 2016 · 6 comments
Closed

NoNewPrivileges support in docker #20329

mrunalp opened this issue Feb 15, 2016 · 6 comments
Labels
kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny
Milestone
1.11.0

Comments

@mrunalp
Copy link
Contributor

mrunalp commented Feb 15, 2016

NoNewPrivileges support was added to the OCI spec and is in the process of being added to runc. The purpose of this issue is to discuss options for integrating this into docker. There are two options:

  1. Add a flag to enable this setting optionally.
  2. Enable this setting by default for all containers.

Any thoughts?

@crosbymichael @LK4D4 @rhatdan
@rhatdan
Copy link
Contributor

rhatdan commented Feb 15, 2016

It should definitely be optional, some people might want to run containers with lower privileges but still allow users to sudo or use setuid apps to raise privileges. I think Ping would be broken by turning this on by default at this point.

@mrunalp
Copy link
Contributor Author

mrunalp commented Feb 15, 2016

@rhatdan Yes, I agree that is the safer option and won't break existing applications.

@thaJeztah
Copy link
Member

Would that be a new option to --security-opt? e.g. --security-opt=no-new-privileges?

@mrunalp
Copy link
Contributor Author

mrunalp commented Feb 15, 2016

@thaJeztah That sounds good to me since this is a security setting.

@thaJeztah thaJeztah added the kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny label Feb 15, 2016
@rhatdan
Copy link
Contributor

rhatdan commented Feb 15, 2016

SGTM

@mrunalp mrunalp mentioned this issue Feb 26, 2016
Merged
@tianon
Copy link
Member

tianon commented May 12, 2016

This was fixed by #20727 😄

@tianon tianon closed this as completed May 12, 2016
@thaJeztah thaJeztah added this to the 1.11.0 milestone May 12, 2016
@kiranmeduri kiranmeduri mentioned this issue Sep 14, 2016
Merged
4 tasks
This was referenced Dec 8, 2016
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny
Projects
None yet
Milestone
1.11.0
Development

No branches or pull requests
4 participants
@mrunalp @tianon @thaJeztah @rhatdan