containers
"podman build --security-opt no-new-privileges" noted as not supported
Issue Description
podman-build(1) says that --security-opt no-new-privileges is not supported, from my testing it seems to work correctly, at least for local builds. buildah-build(1) doesn't list no-new-privileges as not supported. Is this a case of some other podman build specific functionality not working with this flag? If so it may be good to only note the exception and leave the flag as supported otherwise.
Steps to reproduce the issue
Steps to reproduce the issue
- Prepare a Containerfile
- Build it using
podman build -t test --security-opt no-new-privileges .
Describe the results you received
The build went through without throwing an error and did correctly set the no_new_privs flag.
Describe the results you expected
Podman throwing an error for an unsupported flag or something not working correctly (e.g. the flag not being set or build not going through).
podman info output
host:
arch: amd64
buildahVersion: 1.39.2
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-1.fc41.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 86.06
systemPercent: 5.39
userPercent: 8.55
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
variant: kinoite
version: "41"
eventLogger: journald
freeLocks: 2038
hostname: laptop
idMappings:
gidmap: null
uidmap: null
kernel: 6.13.8-200.fc41.x86_64
linkmode: dynamic
logDriver: journald
memFree: 1080594432
memTotal: 16630775808
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.14.0-1.fc41.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.14.0
package: netavark-1.14.0-1.fc41.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.14.0
ociRuntime:
name: crun
package: crun-1.20-2.fc41.x86_64
path: /usr/bin/crun
version: |-
crun version 1.20
commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250320.g32f6212-2.fc41.x86_64
version: ""
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-1.fc41.x86_64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.8.0
SLIRP_CONFIG_VERSION_MAX: 5
libseccomp: 2.5.5
swapFree: 33260040192
swapTotal: 33260826624
uptime: 5h 16m 17.00s (Approximately 0.21 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 9
paused: 0
running: 3
stopped: 6
graphDriverName: overlay
graphOptions:
overlay.additionalImageStores:
- /usr/lib/containers/storage
overlay.imagestore: /usr/lib/containers/storage
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 498387124224
graphRootUsed: 302147178496
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 26
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.4.1
BuildOrigin: Fedora Project
Built: 1741651200
BuiltTime: Tue Mar 11 01:00:00 2025
GitCommit: b79bc8afe796cba51dd906270a7e1056ccdfcf9e
GoVersion: go1.23.7
Os: linux
OsArch: linux/amd64
Version: 5.4.1
Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
I've done both rootful and rootless podman builds.
Hi @ver4a,
I think your right, I think this is a documentation bug.
Looking through the git history for this doc I can see the "--security-opt no-new-privileges is not supported" claim was added in https://github.com/containers/podman/commit/c12065401f6d2ef35a50246be94c2496a8f432a4
This was syncing the docs from Buildah at the time, if we check the Buildah bud documentation from the same time period we can see the same claim: https://github.com/containers/buildah/blob/2d49f7c3bdad96bebd96491252a938df80783818/docs/buildah-bud.md
2 years later in 2022 "no-new-privileges" support was added into Buildah here: https://github.com/containers/buildah/commit/d4c661a7746fd8e309bfa0b0b5fd7d13d05846ed
The Buildah documentation was updated but I assume the Podman docs were not updated.
Doing some local testing I came to the same conclusion as you that "no-new-privileges" is working fine:
[quokka@fedora main]$ podman build -t test_normal .
STEP 1/2: FROM docker.io/redhat/ubi9-minimal
STEP 2/2: RUN grep NoNewPrivs /proc/self/status
NoNewPrivs: 0. <-- NOTE
COMMIT test_normal
--> a86354b21cb4
Successfully tagged localhost/test_normal:latest
a86354b21cb4431806ce840c51ee638d0bb712243ae07167a6db36ef0cb8668f
[quokka@fedora main]$ podman build -t test_no_new_privs --security-opt no-new-privileges .
STEP 1/2: FROM docker.io/redhat/ubi9-minimal
STEP 2/2: RUN grep NoNewPrivs /proc/self/status
NoNewPrivs: 1. <-- NOTE
COMMIT test_no_new_privs
--> 3af196e27252
Successfully tagged localhost/test_no_new_privs:latest
3af196e272528d47cadfcb9ab442807577556cc5ece8f52fade730146b0ff2c6
