Skip to content

Commit f6b450f

Browse files
author
Natalie Arellano
authored
Merge pull request #2217 from buildpacks/security-fixes
Fixes from security review
2 parents cbc880a + 13ca537 commit f6b450f

17 files changed

Lines changed: 625 additions & 83 deletions

acceptance/acceptance_test.go

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ import (
3838
"github.com/buildpacks/pack/internal/style"
3939
"github.com/buildpacks/pack/pkg/archive"
4040
"github.com/buildpacks/pack/pkg/cache"
41+
"github.com/buildpacks/pack/pkg/logging"
4142
h "github.com/buildpacks/pack/testhelpers"
4243
)
4344

@@ -1162,8 +1163,9 @@ func testAcceptance(
11621163
ref, err := name.ParseReference(repoName, name.WeakValidation)
11631164
assert.Nil(err)
11641165
cacheImage := cache.NewImageCache(ref, dockerCli)
1165-
buildCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli)
1166-
launchCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli)
1166+
logger := logging.NewSimpleLogger(&bytes.Buffer{})
1167+
buildCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli, logger)
1168+
launchCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli, logger)
11671169
cacheImage.Clear(context.TODO())
11681170
buildCacheVolume.Clear(context.TODO())
11691171
launchCacheVolume.Clear(context.TODO())
@@ -1282,8 +1284,9 @@ func testAcceptance(
12821284
ref, err := name.ParseReference(repoName, name.WeakValidation)
12831285
assert.Nil(err)
12841286
cacheImage := cache.NewImageCache(ref, dockerCli)
1285-
buildCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli)
1286-
launchCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli)
1287+
logger := logging.NewSimpleLogger(&bytes.Buffer{})
1288+
buildCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli, logger)
1289+
launchCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli, logger)
12871290
cacheImage.Clear(context.TODO())
12881291
buildCacheVolume.Clear(context.TODO())
12891292
launchCacheVolume.Clear(context.TODO())
@@ -1627,6 +1630,7 @@ func testAcceptance(
16271630

16281631
it.Before(func() {
16291632
h.SkipIf(t, os.Getenv("DOCKER_HOST") != "", "cannot mount volume when DOCKER_HOST is set")
1633+
h.SkipIf(t, imageManager.HostOS() == "windows", "These tests are broken on Windows Containers on Windows when not using the creator; see https://github.com/buildpacks/pack/issues/2147")
16301634

16311635
if imageManager.HostOS() == "windows" {
16321636
volumeRoot = `c:\`
@@ -3167,8 +3171,9 @@ include = [ "*.jar", "media/mountain.jpg", "/media/person.png", ]
31673171
imageManager.CleanupImages(origID, repoName, runBefore)
31683172
ref, err := name.ParseReference(repoName, name.WeakValidation)
31693173
assert.Nil(err)
3170-
buildCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli)
3171-
launchCacheVolume := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli)
3174+
logger := logging.NewSimpleLogger(&bytes.Buffer{})
3175+
buildCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "build", dockerCli, logger)
3176+
launchCacheVolume, _ := cache.NewVolumeCache(ref, cache.CacheInfo{}, "launch", dockerCli, logger)
31723177
assert.Succeeds(buildCacheVolume.Clear(context.TODO()))
31733178
assert.Succeeds(launchCacheVolume.Clear(context.TODO()))
31743179
})

go.mod

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ module github.com/buildpacks/pack
22

33
require (
44
github.com/BurntSushi/toml v1.3.2
5+
github.com/GoogleContainerTools/kaniko v1.22.0
56
github.com/Masterminds/semver v1.5.0
67
github.com/Microsoft/go-winio v0.6.2
78
github.com/apex/log v1.9.0
@@ -108,7 +109,7 @@ require (
108109
github.com/mattn/go-isatty v0.0.20 // indirect
109110
github.com/mattn/go-runewidth v0.0.15 // indirect
110111
github.com/mitchellh/go-homedir v1.1.0 // indirect
111-
github.com/mitchellh/mapstructure v1.4.1 // indirect
112+
github.com/mitchellh/mapstructure v1.5.0 // indirect
112113
github.com/moby/buildkit v0.13.2 // indirect
113114
github.com/moby/docker-image-spec v1.3.1 // indirect
114115
github.com/moby/patternmatcher v0.6.0 // indirect

go.sum

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM
3131
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
3232
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
3333
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
34+
github.com/GoogleContainerTools/kaniko v1.22.0 h1:WIL8Wuc+lQW8sv1R+zOZsCy4lQtTzrVJ76K2VMkB++0=
35+
github.com/GoogleContainerTools/kaniko v1.22.0/go.mod h1:Kki7uX+HlskobmD7PRrGZvL0S9Aejf8kzfzoQUv68pQ=
3436
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
3537
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
3638
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -272,8 +274,8 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
272274
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
273275
github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e h1:Qa6dnn8DlasdXRnacluu8HzPts0S1I9zvvUPDbBnXFI=
274276
github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e/go.mod h1:waEya8ee1Ro/lgxpVhkJI4BVASzkm3UZqkx/cFJiYHM=
275-
github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
276-
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
277+
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
278+
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
277279
github.com/moby/buildkit v0.13.2 h1:nXNszM4qD9E7QtG7bFWPnDI1teUQFQglBzon/IU3SzI=
278280
github.com/moby/buildkit v0.13.2/go.mod h1:2cyVOv9NoHM7arphK9ZfHIWKn9YVZRFd1wXB8kKmEzY=
279281
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -533,8 +535,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
533535
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
534536
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
535537
google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
536-
google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
537-
google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
538+
google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
539+
google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
538540
google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI=
539541
google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
540542
google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
@@ -561,5 +563,5 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
561563
gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
562564
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
563565
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
564-
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
565-
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
566+
gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
567+
gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=

internal/build/docker.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ type DockerClient interface {
2323
ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error)
2424
ContainerRemove(ctx context.Context, container string, options containertypes.RemoveOptions) error
2525
CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error
26+
NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
27+
NetworkRemove(ctx context.Context, network string) error
2628
}
2729

2830
var _ DockerClient = dockerClient.CommonAPIClient(nil)

internal/build/lifecycle_execution.go

Lines changed: 42 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
"github.com/buildpacks/lifecycle/api"
1313
"github.com/buildpacks/lifecycle/auth"
1414
"github.com/buildpacks/lifecycle/platform/files"
15+
"github.com/docker/docker/api/types"
1516
"github.com/google/go-containerregistry/pkg/name"
1617
"github.com/pkg/errors"
1718
"golang.org/x/sync/errgroup"
@@ -165,6 +166,7 @@ func (l *LifecycleExecution) PrevImageName() string {
165166

166167
func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseFactoryCreator) error {
167168
phaseFactory := phaseFactoryCreator(l)
169+
168170
var buildCache Cache
169171
if l.opts.CacheImage != "" || (l.opts.Cache.Build.Format == cache.CacheImage) {
170172
cacheImageName := l.opts.CacheImage
@@ -179,7 +181,11 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
179181
} else {
180182
switch l.opts.Cache.Build.Format {
181183
case cache.CacheVolume:
182-
buildCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Build, "build", l.docker)
184+
var err error
185+
buildCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Build, "build", l.docker, l.logger)
186+
if err != nil {
187+
return err
188+
}
183189
l.logger.Debugf("Using build cache volume %s", style.Symbol(buildCache.Name()))
184190
case cache.CacheBind:
185191
buildCache = cache.NewBindCache(l.opts.Cache.Build, l.docker)
@@ -194,7 +200,33 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
194200
l.logger.Debugf("Build cache %s cleared", style.Symbol(buildCache.Name()))
195201
}
196202

197-
launchCache := cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Launch, "launch", l.docker)
203+
launchCache, err := cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Launch, "launch", l.docker, l.logger)
204+
if err != nil {
205+
return err
206+
}
207+
208+
if l.opts.Network == "" {
209+
// start an ephemeral bridge network
210+
driver := "bridge"
211+
if l.os == "windows" {
212+
driver = "nat"
213+
}
214+
networkName := fmt.Sprintf("pack.local/network/%x", randString(10))
215+
resp, err := l.docker.NetworkCreate(ctx, networkName, types.NetworkCreate{
216+
Driver: driver,
217+
})
218+
if err != nil {
219+
return fmt.Errorf("failed to create ephemeral %s network: %w", driver, err)
220+
}
221+
defer func() {
222+
_ = l.docker.NetworkRemove(ctx, networkName)
223+
}()
224+
l.logger.Debugf("Created ephemeral bridge network %s with ID %s", networkName, resp.ID)
225+
if resp.Warning != "" {
226+
l.logger.Warn(resp.Warning)
227+
}
228+
l.opts.Network = networkName
229+
}
198230

199231
if !l.opts.UseCreator {
200232
if l.platformAPI.LessThan("0.7") {
@@ -224,7 +256,10 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
224256
// lifecycle 0.17.0 (introduces support for Platform API 0.12) and above will ensure that
225257
// this volume is owned by the CNB user,
226258
// and hence the restorer (after dropping privileges) will be able to write to it.
227-
kanikoCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker)
259+
kanikoCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker, l.logger)
260+
if err != nil {
261+
return err
262+
}
228263
} else {
229264
switch {
230265
case buildCache.Type() == cache.Volume:
@@ -236,7 +271,10 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
236271
return fmt.Errorf("build cache must be volume cache when building with extensions")
237272
default:
238273
// The kaniko cache is unused, so it doesn't matter that it's not usable.
239-
kanikoCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker)
274+
kanikoCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker, l.logger)
275+
if err != nil {
276+
return err
277+
}
240278
}
241279
}
242280

internal/build/lifecycle_execution_test.go

Lines changed: 63 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
ifakes "github.com/buildpacks/imgutil/fakes"
1717
"github.com/buildpacks/lifecycle/api"
1818
"github.com/buildpacks/lifecycle/platform/files"
19+
"github.com/docker/docker/api/types"
1920
"github.com/docker/docker/api/types/container"
2021
"github.com/docker/docker/client"
2122
"github.com/google/go-containerregistry/pkg/authn"
@@ -275,7 +276,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
275276
fakeBuilder *fakes.FakeBuilder
276277
outBuf bytes.Buffer
277278
logger *logging.LogWithWriters
278-
docker *client.Client
279+
docker *fakeDockerClient
279280
fakeTermui *fakes.FakeTermui
280281
)
281282

@@ -289,7 +290,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
289290
fakeBuilder, err = fakes.NewFakeBuilder(fakes.WithSupportedPlatformAPIs([]*api.Version{api.MustParse("0.3")}))
290291
h.AssertNil(t, err)
291292
logger = logging.NewLogWithWriters(&outBuf, &outBuf)
292-
docker, err = client.NewClientWithOpts(client.FromEnv, client.WithVersion("1.38"))
293+
docker = &fakeDockerClient{}
293294
h.AssertNil(t, err)
294295
fakePhaseFactory = fakes.NewFakePhaseFactory()
295296
})
@@ -780,6 +781,46 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
780781
})
781782
})
782783

784+
when("network is not provided", func() {
785+
it("creates an ephemeral bridge network", func() {
786+
beforeNetworks := func() int {
787+
networks, err := docker.NetworkList(context.Background(), types.NetworkListOptions{})
788+
h.AssertNil(t, err)
789+
return len(networks)
790+
}()
791+
792+
opts := build.LifecycleOptions{
793+
Image: imageName,
794+
Builder: fakeBuilder,
795+
Termui: fakeTermui,
796+
}
797+
798+
lifecycle, err := build.NewLifecycleExecution(logger, docker, "some-temp-dir", opts)
799+
h.AssertNil(t, err)
800+
801+
err = lifecycle.Run(context.Background(), func(execution *build.LifecycleExecution) build.PhaseFactory {
802+
return fakePhaseFactory
803+
})
804+
h.AssertNil(t, err)
805+
806+
for _, entry := range fakePhaseFactory.NewCalledWithProvider {
807+
h.AssertContains(t, string(entry.HostConfig().NetworkMode), "pack.local/network/")
808+
h.AssertEq(t, entry.HostConfig().NetworkMode.IsDefault(), false)
809+
h.AssertEq(t, entry.HostConfig().NetworkMode.IsHost(), false)
810+
h.AssertEq(t, entry.HostConfig().NetworkMode.IsNone(), false)
811+
h.AssertEq(t, entry.HostConfig().NetworkMode.IsPrivate(), true)
812+
h.AssertEq(t, entry.HostConfig().NetworkMode.IsUserDefined(), true)
813+
}
814+
815+
afterNetworks := func() int {
816+
networks, err := docker.NetworkList(context.Background(), types.NetworkListOptions{})
817+
h.AssertNil(t, err)
818+
return len(networks)
819+
}()
820+
h.AssertEq(t, beforeNetworks, afterNetworks)
821+
})
822+
})
823+
783824
when("Error cases", func() {
784825
when("passed invalid", func() {
785826
it("fails for cache-image", func() {
@@ -2657,6 +2698,26 @@ func (f *fakeImageFetcher) fetchRunImage(name string) error {
26572698
return nil
26582699
}
26592700

2701+
type fakeDockerClient struct {
2702+
nNetworks int
2703+
build.DockerClient
2704+
}
2705+
2706+
func (f *fakeDockerClient) NetworkList(ctx context.Context, opts types.NetworkListOptions) ([]types.NetworkResource, error) {
2707+
ret := make([]types.NetworkResource, f.nNetworks)
2708+
return ret, nil
2709+
}
2710+
2711+
func (f *fakeDockerClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
2712+
f.nNetworks++
2713+
return types.NetworkCreateResponse{}, nil
2714+
}
2715+
2716+
func (f *fakeDockerClient) NetworkRemove(ctx context.Context, network string) error {
2717+
f.nNetworks--
2718+
return nil
2719+
}
2720+
26602721
func newTestLifecycleExecErr(t *testing.T, logVerbose bool, tmpDir string, ops ...func(*build.LifecycleOptions)) (*build.LifecycleExecution, error) {
26612722
docker, err := client.NewClientWithOpts(client.FromEnv, client.WithVersion("1.38"))
26622723
h.AssertNil(t, err)

internal/build/phase_config_provider.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,14 @@ type PhaseConfigProvider struct {
3434
}
3535

3636
func NewPhaseConfigProvider(name string, lifecycleExec *LifecycleExecution, ops ...PhaseConfigProviderOperation) *PhaseConfigProvider {
37+
hostConf := new(container.HostConfig)
38+
hostConf.UsernsMode = "host"
39+
if lifecycleExec.os != "windows" {
40+
hostConf.SecurityOpt = []string{"no-new-privileges=true"}
41+
}
3742
provider := &PhaseConfigProvider{
3843
ctrConf: new(container.Config),
39-
hostConf: new(container.HostConfig),
44+
hostConf: hostConf,
4045
name: name,
4146
os: lifecycleExec.os,
4247
infoWriter: logging.GetWriterForLevel(lifecycleExec.logger, logging.InfoLevel),

internal/build/phase_config_provider_test.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,8 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
5959
h.AssertSliceContainsMatch(t, phaseConfigProvider.HostConfig().Binds, "pack-app-.*:/workspace")
6060

6161
h.AssertEq(t, phaseConfigProvider.HostConfig().Isolation, container.IsolationEmpty)
62+
h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode("host"))
63+
h.AssertSliceContains(t, phaseConfigProvider.HostConfig().SecurityOpt, "no-new-privileges=true")
6264
})
6365

6466
when("building for Windows", func() {
@@ -72,6 +74,7 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
7274
phaseConfigProvider := build.NewPhaseConfigProvider("some-name", lifecycle)
7375

7476
h.AssertEq(t, phaseConfigProvider.HostConfig().Isolation, container.IsolationProcess)
77+
h.AssertSliceNotContains(t, phaseConfigProvider.HostConfig().SecurityOpt, "no-new-privileges=true")
7578
})
7679
})
7780

0 commit comments

Comments
 (0)