From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 3 Feb 2021 19:58:45 +0000 (+0100)
Subject: conf: restrict open call in lxc_mount_rootfs()
X-Git-Tag: lxc-5.0.0~302^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ccf5374124900f02efaf1ee41471695d3f32f591;p=thirdparty%2Flxc.git

conf: restrict open call in lxc_mount_rootfs()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 220a06453..1bf33a78d 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1242,7 +1242,7 @@ static int lxc_mount_rootfs(struct lxc_conf *conf)
 		if (ret < 0)
 			return log_error_errno(-1, errno, "Failed to recursively turn root mount tree into dependent mount");
 
-		rootfs->mntpt_fd = openat(-1, "/", O_RDONLY | O_CLOEXEC | O_DIRECTORY | O_PATH);
+		rootfs->mntpt_fd = open_at(-EBADF, "/", PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_ABSOLUTE, 0);
 		if (rootfs->mntpt_fd < 0)
 			return -errno;