From 7043e2b4704415cbad0ee149f2f99f0ea622b179 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 4 Feb 2021 15:05:43 +0100
Subject: [PATCH] cgroups: restrict open calls in cgroup_attach_create_leaf()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index f4eccbd76..6c13bd111 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2311,12 +2311,12 @@ static int cgroup_attach_create_leaf(const struct lxc_conf *conf,
 	if (ret < 0 && errno != EEXIST)
 		return log_error_errno(-1, errno, "Failed to create leaf cgroup \".lxc\"");
 
-	target_fd0 = openat(unified_fd, ".lxc/cgroup.procs", O_WRONLY | O_CLOEXEC | O_NOFOLLOW);
+	target_fd0 = open_at(unified_fd, ".lxc/cgroup.procs", PROTECT_OPEN_W, PROTECT_LOOKUP_BENEATH, 0);
 	if (target_fd0 < 0)
 		return log_error_errno(-errno, errno, "Failed to open \".lxc/cgroup.procs\"");
 	target_fds[0] = target_fd0;
 
-	target_fd1 = openat(unified_fd, "cgroup.procs", O_WRONLY | O_CLOEXEC | O_NOFOLLOW);
+	target_fd1 = open_at(unified_fd, "cgroup.procs", PROTECT_OPEN_W, PROTECT_LOOKUP_BENEATH, 0);
 	if (target_fd1 < 0)
 		return log_error_errno(-errno, errno, "Failed to open \".lxc/cgroup.procs\"");
 	target_fds[1] = target_fd1;
-- 
2.47.2