Update to runc 1.1.12
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
9
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
9
vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
generated
vendored
@@ -353,6 +353,15 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
|
||||
}()
|
||||
}
|
||||
|
||||
// Before starting "runc init", mark all non-stdio open files as O_CLOEXEC
|
||||
// to make sure we don't leak any files into "runc init". Any files to be
|
||||
// passed to "runc init" through ExtraFiles will get dup2'd by the Go
|
||||
// runtime and thus their O_CLOEXEC flag will be cleared. This is some
|
||||
// additional protection against attacks like CVE-2024-21626, by making
|
||||
// sure we never leak files to "runc init" we didn't intend to.
|
||||
if err := utils.CloseExecFrom(3); err != nil {
|
||||
return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err)
|
||||
}
|
||||
if err := parent.start(); err != nil {
|
||||
return fmt.Errorf("unable to start container process: %w", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user