Merge branch 'master' into security_fixes

shishir-a412ed · web-flow · commit 38d7d98b177f · 2021-12-09T12:37:02.000-08:00
diff --git a/containerd/containerd.go b/containerd/containerd.go
@@ -149,7 +149,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 
 	// Enable privileged mode.
 	if config.Privileged {
-		opts = append(opts, oci.WithPrivileged)
+		opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices, oci.WithNewPrivileges)
 	}
 
 	// WithPidsLimit sets the container's pid limit or maximum
diff --git a/tests/004-test-privileged.sh b/tests/004-test-privileged.sh
@@ -41,7 +41,7 @@ test_privileged_nomad_job() {
     # depending on the execution environment.
     expected_capabilities="37"
     if [[ "$GITHUB_ACTIONS" == "true" ]]; then
-       expected_capabilities="39"
+       expected_capabilities="40"
     fi
 
     actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}')

Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,7 @@ func (d Driver) createContainer(containerConfig ContainerConfig, config *TaskC`
`149`	`149`
`150`	`150`	`// Enable privileged mode.`
`151`	`151`	`if config.Privileged {`
`152`		`- opts = append(opts, oci.WithPrivileged)`
	`152`	`+ opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices, oci.WithNewPrivileges)`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`// WithPidsLimit sets the container's pid limit or maximum`