opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-02 09:12:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory

Browse Source 
Since mountStorage and createNetNS run in parallel, the directory file
descriptors used by mountStorage were (rarely) propagated to the CNI
plugins. On FreeBSD, the CNI bridge plugin needs to make changes to the
network jail. This fails if there are any descriptors to open directories
to protect against host directories being visible to the jail's chroot.

Adding O_CLOEXEC to the unix.Open call in openDirectory ensures that these
descriptors are not visible to podman's child processes.

[NO NEW TESTS NEEDED]

Signed-off-by: Doug Rabson <dfr@rabson.org>
This commit is contained in:
Doug Rabson
2022-11-26 13:43:18 +00:00
parent fd142ef5f4
commit f06869168e
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libpod/container_internal_freebsd.go
View File

@ -186,7 +186,7 @@ func (c *Container) getOCICgroupPath() (string, error) {
func openDirectory(path string) (fd int, err error) {
const O_PATH = 0x00400000
return unix.Open(path, unix.O_RDONLY|O_PATH, 0)
return unix.Open(path, unix.O_RDONLY|O_PATH|unix.O_CLOEXEC, 0)
}
func (c *Container) addNetworkNamespace(g *generate.Generator) error {