Add no-new-privileg flag

The daemon config for defaulting to no-new-privileges for containers was added in d7fda019bb, but somehow we managed to omit the flag itself, but also documented the flag. This just adds the actual flag. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-11-09 12:21:53 -05:00 · 2017-05-01 10:15:03 -04:00 · 2017-05-01 10:15:03 -04:00 · ba332a60b2
commit ba332a60b2
parent f9f66f946f
2 changed files with 2 additions and 0 deletions
--- a/cmd/dockerd/config_unix.go
+++ b/cmd/dockerd/config_unix.go
@ -46,6 +46,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
 	flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds")
 	flags.StringVar(&conf.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
 	flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers")
+	flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers")

 	attachExperimentalFlags(conf, flags)
 }
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -71,6 +71,7 @@ Options:
      --max-concurrent-uploads int            Set the max concurrent uploads for each push (default 5)
      --metrics-addr string                   Set default address and port to serve the metrics api on
      --mtu int                               Set the containers network MTU
+      --no-new-privileges                     Set no-new-privileges by default for new containers
      --oom-score-adjust int                  Set the oom_score_adj for the daemon (default -500)
  -p, --pidfile string                        Path to use for daemon PID file (default "/var/run/docker.pid")
      --raw-logs                              Full timestamps without ANSI coloring