0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add no-new-privileges to SecurityOptions returned by /info

Browse source 
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This commit is contained in:
Albin Kerouanton 2023-04-13 13:27:59 +02:00
parent 3d0bdfaa70
commit eb7738221c
No known key found for this signature in database
GPG key ID: 630B8E1DCBDB1864
5 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
api/swagger.yaml
View file

@ -5243,7 +5243,8 @@ definitions:
SecurityOptions:
description: |
List of security features that are enabled on the daemon, such as
apparmor, seccomp, SELinux, user-namespaces (userns), and rootless.
apparmor, seccomp, SELinux, user-namespaces (userns), rootless and
no-new-privileges.
Additional configuration options for each security feature may
be present, and are included as a comma-separated list of key/value

3
daemon/info.go
View file

@ -170,6 +170,9 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
if daemon.cgroupNamespacesEnabled(sysInfo) {
securityOptions = append(securityOptions, "name=cgroupns")
}
if daemon.noNewPrivileges() {
securityOptions = append(securityOptions, "name=no-new-privileges")
}
v.SecurityOptions = securityOptions
}

4
daemon/info_unix.go
View file

@ -366,3 +366,7 @@ func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
func (daemon *Daemon) Rootless() bool {
return daemon.configStore.Rootless
}
func (daemon *Daemon) noNewPrivileges() bool {
return daemon.configStore.NoNewPrivileges
}

4
daemon/info_windows.go
View file

@ -22,3 +22,7 @@ func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
func (daemon *Daemon) Rootless() bool {
return false
}
func (daemon *Daemon) noNewPrivileges() bool {
return false
}

3
docs/api/version-history.md
View file

@ -23,6 +23,9 @@ keywords: "API, Docker, rcli, REST, documentation"
* `GET /images/json` no longer includes hardcoded `<none>:<none>` and
`<none>@<none>` in `RepoTags` and`RepoDigests` for untagged images.
In such cases, empty arrays will be produced instead.
* `GET /info` now includes `no-new-privileges` in the `SecurityOptions` string
list when this option is enabled globally. This change is not versioned, and
affects all API versions if the daemon has this patch.
## v1.42 API changes