Force privileged to false when runner's config is false (#57)

The runner's `privileged` config can be bypassed. Currently, even if the runner's `privileged` config is false, users can still enable the privileged mode by using `--privileged` in the container's option string. Therefore, if runner's config is false, the `--privileged` in options string should be ignored. Reviewed-on: https://gitea.com/gitea/act/pulls/57 Reviewed-by: Jason Song <i@wolfogre.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-committed-by: Zettat123 <zettat123@gmail.com>
2023-05-16 11:21:18 +08:00 · 2023-05-16 11:21:18 +08:00 · 27846050ae
commit 27846050ae
parent ed9b6643ca
1 changed files with 6 additions and 0 deletions
--- a/pkg/container/docker_run.go
+++ b/pkg/container/docker_run.go
@ -376,6 +376,12 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 	// 	}
 	// }

+	// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
+	// even if the user specifies `--privileged` in the options string.
+	if !hostConfig.Privileged {
+		copts.privileged = false
+	}
+
 	containerConfig, err := parse(flags, copts, "")
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)