From 6a7fa68c0f27c8660d9c72e507da96c13cf03415 Mon Sep 17 00:00:00 2001
From: Shishir Mahajan <smahajan@roblox.com>
Date: Thu, 4 Mar 2021 09:46:27 -0800
Subject: [PATCH] Plugin configuration level privileged mode.

---
 containerd/containerd.go | 4 ++++
 containerd/driver.go     | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 93692c9..d7f6ef3 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -95,6 +95,10 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 
 	opts = append(opts, oci.WithImageConfigArgs(containerConfig.Image, args))
 
+	if !d.config.AllowPrivileged && config.Privileged {
+		return nil, fmt.Errorf("Running privileged jobs are not allowed. Set allow_privileged to true in plugin config to allow running privileged jobs.")
+	}
+
 	// Enable privileged mode.
 	if config.Privileged {
 		opts = append(opts, oci.WithPrivileged)
diff --git a/containerd/driver.go b/containerd/driver.go
index 022cbeb..4faa060 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -79,6 +79,10 @@ var (
 		),
 		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
 		"stats_interval":     hclspec.NewAttr("stats_interval", "string", false),
+		"allow_privileged": hclspec.NewDefault(
+			hclspec.NewAttr("allow_privileged", "bool", false),
+			hclspec.NewLiteral("true"),
+		),
 	})
 
 	// taskConfigSpec is the specification of the plugin's configuration for
@@ -130,6 +134,7 @@ type Config struct {
 	Enabled           bool   `codec:"enabled"`
 	ContainerdRuntime string `codec:"containerd_runtime"`
 	StatsInterval     string `codec:"stats_interval"`
+	AllowPrivileged   bool   `codec:"allow_privileged"`
 }
 
 // Volume, bind, and tmpfs type mounts are supported.