potyarkin/forgejo-runner-act
1
0
Fork 0
Code Issues Pull requests Activity

Force privileged to false when runner's config is false (#57)

Browse source 
The runner's `privileged` config can be bypassed. Currently, even if the runner's `privileged` config is false, users can still enable the privileged mode by using `--privileged` in the container's option string. Therefore, if runner's config is false, the `--privileged` in options string should be ignored.

Reviewed-on: https://gitea.com/gitea/act/pulls/57
Reviewed-by: Jason Song <i@wolfogre.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-committed-by: Zettat123 <zettat123@gmail.com>
This commit is contained in:
Zettat123 2023-05-16 11:21:18 +08:00 committed by Jason Song
parent ed9b6643ca
commit 27846050ae
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/container/docker_run.go
View file

@ -376,6 +376,12 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
// } // }
// } // }
// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
// even if the user specifies `--privileged` in the options string.
if !hostConfig.Privileged {
copts.privileged = false
}
containerConfig, err := parse(flags, copts, "") containerConfig, err := parse(flags, copts, "")
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err) return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)