conf: restrict open of dev/

author Christian Brauner <christian.brauner@ubuntu.com>

Wed, 3 Feb 2021 09:55:48 +0000 (10:55 +0100)

committer Christian Brauner <christian.brauner@ubuntu.com>

Wed, 3 Feb 2021 10:49:51 +0000 (11:49 +0100)
author Christian Brauner <christian.brauner@ubuntu.com>
Wed, 3 Feb 2021 09:55:48 +0000 (10:55 +0100)
committer Christian Brauner <christian.brauner@ubuntu.com>
Wed, 3 Feb 2021 10:49:51 +0000 (11:49 +0100)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c

index 99707bdc6ac65f28362bc778fb45afd568a92622..2ab2e55417639569f89ff14250943c5e5f51fdd4 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3334,8 +3334,8 @@ int lxc_setup(struct lxc_handler *handler)
                         return log_error(-1, "Failed to mount \"/dev\"");
         }
  
-       lxc_conf->rootfs.dev_mntpt_fd = openat(lxc_conf->rootfs.mntpt_fd, "dev",
-                                               O_RDONLY | O_CLOEXEC | O_DIRECTORY | O_NOFOLLOW);
+       lxc_conf->rootfs.dev_mntpt_fd = open_at(lxc_conf->rootfs.mntpt_fd, "dev",
+                                               PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV, 0);
         if (lxc_conf->rootfs.dev_mntpt_fd < 0 && errno != ENOENT)
                 return log_error_errno(-errno, errno, "Failed to open \"/dev\"");
author	Christian Brauner <christian.brauner@ubuntu.com>
	Wed, 3 Feb 2021 09:55:48 +0000 (10:55 +0100)
committer	Christian Brauner <christian.brauner@ubuntu.com>
	Wed, 3 Feb 2021 10:49:51 +0000 (11:49 +0100)