Add NoNewPrivileges setting for linux

This is a security setting that could be used to prevent processes in the container from gaining additional privileges. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-04 18:36:24 -05:00 · 2016-01-04 18:36:24 -05:00 · 5f327ba339
parent 4060e6c1cc
commit 5f327ba339
2 changed files with 14 additions and 1 deletions
--- a/runtime-config-linux.md
+++ b/runtime-config-linux.md
@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
 ```json
    "rootfsPropagation": "slave",
 ```
+
+## No new privileges
+
+Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
+[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.
+
+###### Example
+
+```json
+    "noNewPrivileges": true,
+```
--- a/runtime_config_linux.go
+++ b/runtime_config_linux.go
@ -39,8 +39,10 @@ type LinuxRuntime struct {
 	SelinuxProcessLabel string `json:"selinuxProcessLabel"`
 	// Seccomp specifies the seccomp security settings for the container.
 	Seccomp Seccomp `json:"seccomp"`
-	// RootfsPropagation is the rootfs mount propagation mode for the container
+	// RootfsPropagation is the rootfs mount propagation mode for the container.
 	RootfsPropagation string `json:"rootfsPropagation,omitempty"`
+	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
+	NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
 }

 // Namespace is the configuration for a linux namespace