Skip to content

Enable NoNewPrivileges for unprivileged container processes#502

Open
plamen-bardarov wants to merge 1 commit into
cloudfoundry:mainfrom
plamen-bardarov:enable-no-new-privileges
Open

Enable NoNewPrivileges for unprivileged container processes#502
plamen-bardarov wants to merge 1 commit into
cloudfoundry:mainfrom
plamen-bardarov:enable-no-new-privileges

Conversation

@plamen-bardarov
Copy link
Copy Markdown
Contributor

@plamen-bardarov plamen-bardarov commented Apr 27, 2026

Summary

Adds --no-new-privileges flag that sets NoNewPrivileges=true in the OCI runtime spec for unprivileged containers and peas, closing a privilege escalation path via setuid binaries. The flag is propagated to all spawned processes including cf ssh and sidecars. Privileged containers are unaffected.

Backward Compatibility

Breaking Change? No

@plamen-bardarov
Enable NoNewPrivileges for unprivileged container processes
55da34e 
Add --no-new-privileges CLI flag that sets NoNewPrivileges=true in the
OCI runtime spec for unprivileged containers and peas. This prevents
privilege escalation via setuid binaries and file capabilities.

The flag is propagated to all spawned processes (cf ssh, garden run)
via BuildProcess. Privileged containers are unaffected.
@plamen-bardarov plamen-bardarov requested a review from a team as a code owner April 27, 2026 14:47
@ameowlia ameowlia requested a review from winkingturtle-vmw May 7, 2026 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@winkingturtle-vmw winkingturtle-vmw Awaiting requested review from winkingturtle-vmw

Assignees

No one assigned

Labels

None yet

Projects

Application Runtime Platform Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@plamen-bardarov