From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 3 Feb 2021 09:55:48 +0000 (+0100)
Subject: conf: restrict open of dev/
X-Git-Tag: lxc-5.0.0~303^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce011f53d8d80986a875dda5109394b2d1678e35;p=thirdparty%2Flxc.git

conf: restrict open of dev/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 99707bdc6..2ab2e5541 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3334,8 +3334,8 @@ int lxc_setup(struct lxc_handler *handler)
 			return log_error(-1, "Failed to mount \"/dev\"");
 	}
 
-	lxc_conf->rootfs.dev_mntpt_fd = openat(lxc_conf->rootfs.mntpt_fd, "dev",
-						O_RDONLY | O_CLOEXEC | O_DIRECTORY | O_NOFOLLOW);
+	lxc_conf->rootfs.dev_mntpt_fd = open_at(lxc_conf->rootfs.mntpt_fd, "dev",
+					        PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV, 0);
 	if (lxc_conf->rootfs.dev_mntpt_fd < 0 && errno != ENOENT)
 		return log_error_errno(-errno, errno, "Failed to open \"/dev\"");