Add daemon flag to set no_new_priv as default for unprivileged containers.

Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>

1 files changed, 29 insertions, 0 deletions

diff --git a/daemon/daemon_unix_test.go b/daemon/daemon_unix_test.go
index 9889bd19fe..ebb0a0186a 100644
--- a/daemon/daemon_unix_test.go
+++ b/daemon/daemon_unix_test.go
@@ -180,6 +180,35 @@ func TestParseSecurityOpt(t *testing.T) {
 	}
 }
 
+func TestParseNNPSecurityOptions(t *testing.T) {
+	daemon := &Daemon{
+		configStore: &config.Config{NoNewPrivileges: true},
+	}
+	container := &container.Container{}
+	config := &containertypes.HostConfig{}
+
+	// test NNP when "daemon:true" and "no-new-privileges=false""
+	config.SecurityOpt = []string{"no-new-privileges=false"}
+
+	if err := daemon.parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
+	}
+	if container.NoNewPrivileges {
+		t.Fatalf("container.NoNewPrivileges should be FALSE: %v", container.NoNewPrivileges)
+	}
+
+	// test NNP when "daemon:false" and "no-new-privileges=true""
+	daemon.configStore.NoNewPrivileges = false
+	config.SecurityOpt = []string{"no-new-privileges=true"}
+
+	if err := daemon.parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
+	}
+	if !container.NoNewPrivileges {
+		t.Fatalf("container.NoNewPrivileges should be TRUE: %v", container.NoNewPrivileges)
+	}
+}
+
 func TestNetworkOptions(t *testing.T) {
 	daemon := &Daemon{}
 	dconfigCorrect := &config.Config{