containers · openshift-ci · Oct 7, 2023 · Oct 4, 2023
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
@@ -348,7 +348,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		_ = cmd.RegisterFlagCompletionFunc(podIDFileFlagName, completion.AutocompleteDefault)
 		createFlags.BoolVar(
 			&cf.Privileged,
-			"privileged", false,
+			"privileged", podmanConfig.ContainersConfDefaultsRO.Containers.Privileged,
 			"Give extended privileges to container",
 		)
 		createFlags.BoolVarP(

diff --git a/cmd/podman/containers/exec.go b/cmd/podman/containers/exec.go
@@ -53,6 +53,7 @@ var (
 )
 
 func execFlags(cmd *cobra.Command) {
+	podmanConfig := registry.PodmanConfig()
 	flags := cmd.Flags()
 
 	flags.SetInterspersed(false)
@@ -71,7 +72,7 @@ func execFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(envFileFlagName, completion.AutocompleteDefault)
 
 	flags.BoolVarP(&execOpts.Interactive, "interactive", "i", false, "Keep STDIN open even if not attached")
-	flags.BoolVar(&execOpts.Privileged, "privileged", false, "Give the process extended Linux capabilities inside the container.  The default is false")
+	flags.BoolVar(&execOpts.Privileged, "privileged", podmanConfig.ContainersConfDefaultsRO.Containers.Privileged, "Give the process extended Linux capabilities inside the container.  The default is false")
 	flags.BoolVarP(&execOpts.Tty, "tty", "t", false, "Allocate a pseudo-TTY. The default is false")
 
 	userFlagName := "user"

diff --git a/docs/source/markdown/options/privileged.md b/docs/source/markdown/options/privileged.md
@@ -16,5 +16,8 @@ mode (**--systemd=always**).
 A privileged container turns off the security features that isolate the
 container from the host. Dropped Capabilities, limited devices, read-only mount
 points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+Due to the disabled security features, the privileged field should almost never
+be set as containers can easily break out of confinement.
 
-Rootless containers cannot have more privileges than the account that launched them.
+Containers running in a user namespace (e.g., rootless containers) cannot have
+more privileges than the user that launched them.
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.3.0
 	github.com/containers/buildah v1.32.0
-	github.com/containers/common v0.56.1-0.20231002091908-745eaa498509
+	github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.1
 	github.com/containers/image/v5 v5.28.0

diff --git a/go.sum b/go.sum
@@ -249,8 +249,8 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
 github.com/containers/buildah v1.32.0 h1:uz5Rcf7lGeStj7iPTBgO4UdhQYZqMMzyt9suDf16k1k=
 github.com/containers/buildah v1.32.0/go.mod h1:sN3rA3DbnqekNz3bNdkqWduuirYDuMs54LUCOZOomBE=
-github.com/containers/common v0.56.1-0.20231002091908-745eaa498509 h1:og5WEvZ2R4WMaO7L3F+Nfq0vfhtIZBxfG6BOVpG+Vfs=
-github.com/containers/common v0.56.1-0.20231002091908-745eaa498509/go.mod h1:8whK9BaTeJqaSTAM0r2A7OdW+XVS+4X9SVh0D6zxpek=
+github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b h1:LIHpr2o8WakQ48q2GAQZlMAG+zsVJPOQSLraxP7j9fI=
+github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b/go.mod h1:8gifkvVxN1oOHJ9Yp/SHWcN6MlxdC0gZCF2+MaWjErc=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.1 h1:+Rc+sOPplrkQb/BUXeN0ug8TxjgyrIqo/9P/eNS2A4c=

diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go
@@ -13,6 +13,7 @@ import (
 	"github.com/containers/podman/v4/pkg/specgen"
 	"github.com/containers/podman/v4/pkg/specgen/generate"
 	"github.com/containers/podman/v4/pkg/specgenutil"
+	"github.com/sirupsen/logrus"
 )
 
 // CreateContainer takes a specgenerator and makes a container. It returns
@@ -31,14 +32,16 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 			UseImageHosts: conf.Containers.NoHosts,
 		},
 		ContainerSecurityConfig: specgen.ContainerSecurityConfig{
-			Umask: conf.Containers.Umask,
+			Umask:      conf.Containers.Umask,
+			Privileged: conf.Containers.Privileged,
 		},
 	}
 
 	if err := json.NewDecoder(r.Body).Decode(&sg); err != nil {
 		utils.Error(w, http.StatusInternalServerError, fmt.Errorf("decode(): %w", err))
 		return
 	}
+	logrus.Errorf("Privileged: %v", sg.ContainerSecurityConfig.Privileged)
 	if sg.Passwd == nil {
 		t := true
 		sg.Passwd = &t

diff --git a/test/system/800-config.bats b/test/system/800-config.bats
@@ -188,12 +188,34 @@ EOF
     cat > $conf_tmp <<EOF
 [containers]
 env_host=true
+privileged=true
 EOF
 
-    # Make sure env_host variable is read
     random_env_var="expected_env_var_$(random_string 15)"
-    FOO="$random_env_var" run_podman --module=$conf_tmp run --rm $IMAGE /bin/printenv FOO
-    is "$output" "$random_env_var" "--module should yield injecting host env vars into the container"
+    FOO="$random_env_var" run_podman --module=$conf_tmp run -d --name=$cname $IMAGE top
+    cname="$output"
+
+    # Make sure `env_host` is read
+    run_podman container inspect $cname --format "{{.Config.Env}}"
+    assert "$output" =~ "FOO=$random_env_var" "--module should yield injecting host env vars into the container"
+
+    # Make sure `privileged` is read during container creation
+    run_podman container inspect $cname --format "{{.HostConfig.Privileged}}"
+    assert "$output" = "true" "--module should enable a privileged container"
+
+    run_podman rm -f -t0 $cname
+
+    # Make sure `privileged` is read during exec, which requires running a
+    # non-privileged container.
+    run_podman run -d $IMAGE top
+    cname="$output"
+
+    run_podman container exec $cname grep CapBnd /proc/self/status
+    non_privileged_caps="$output"
+    run_podman --module=$conf_tmp container exec $cname grep CapBnd /proc/self/status
+    assert "$output" != "$non_privileged_caps" "--module should enable a prvileged exec session"
+
+    run_podman rm -f -t0 $cname
 }
 
 # vim: filetype=sh
diff --git a/vendor/github.com/containers/common/libimage/copier.go b/vendor/github.com/containers/common/libimage/copier.go
diff --git a/vendor/github.com/containers/common/libimage/filters.go b/vendor/github.com/containers/common/libimage/filters.go
diff --git a/vendor/github.com/containers/common/libnetwork/netavark/network.go b/vendor/github.com/containers/common/libnetwork/netavark/network.go
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd b/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -164,7 +164,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.56.1-0.20231002091908-745eaa498509
+# github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b
 ## explicit; go 1.18
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define