From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 24 Feb 2021 00:53:05 +0000 (+0100)
Subject: attach: be paranoid about file descriptors
X-Git-Tag: lxc-5.0.0~270^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ee13f5be729da11eaaa217daf7241be0d4ee89a;p=thirdparty%2Flxc.git

attach: be paranoid about file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 9b7915860..f1700da4f 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1657,6 +1657,13 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
 		TRACE("Moved transient process %d into container cgroup", pid);
 	}
 
+	/*
+	 * Close sensitive file descriptors we don't need anymore. Even if
+	 * we're the parent.
+	 */
+	if (!attach_context_security_barrier(ctx))
+		goto on_error;
+
 	/* Setup /proc limits */
 	if (!lxc_list_empty(&conf->procs)) {
 		ret = setup_proc_filesystem(&conf->procs, pid);