!252 [sync] PR-251: set env to avoid invoke lxc binary directly

From: @openeuler-sync-bot 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian

0012-265-set-env-to-avoid-invoke-lxc-binary-directly.patch

@@ -0,0 +1,30 @@
+From 235048833fbd12ddb19dee74df5a13a26bfe5e6b Mon Sep 17 00:00:00 2001
+From: jake <jikai11@huawei.com>
+Date: Mon, 18 Sep 2023 11:07:42 +0000
+Subject: [PATCH 12/12] !265 set env to avoid invoke lxc binary directly * set
+ env to avoid invoke lxc binary directly
+
+---
+ src/lcrcontainer.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/lcrcontainer.c b/src/lcrcontainer.c
+index f65f570..5c69c8e 100644
+--- a/src/lcrcontainer.c
++++ b/src/lcrcontainer.c
+@@ -290,6 +290,12 @@ bool lcr_start(const struct lcr_start_request *request)
+         close(pipefd[0]);
+         dup2(pipefd[1], 2);
+ 
++        // should set LXC_MEMFD_REXEC=1 before lxc_start
++        // to improve the security of launching containers
++        if (setenv("LXC_MEMFD_REXEC", "1", true) != 0) {
++            exit(1);
++        }
++
+         execute_lxc_start(request->name, path, request);
+     }
+ 
+-- 
+2.34.1
+

lcr.spec

@@ -1,5 +1,5 @@
 %global _version 2.0.9
-%global _release 6
+%global _release 7
 %global _inner_name isula_libutils
 
 Name:      lcr
@@ -23,6 +23,7 @@ Patch0008:	0008-CI-checkout-branch-of-lxc.patch
 Patch0009:	0009-support-check-symbols-and-compile-code-in-cmake.patch
 Patch0010:	0010-remove-unnecessary-strerror.patch
 Patch0011:	0011-258-improve-code-of-function-in-log.patch
+Patch0012:	0012-265-set-env-to-avoid-invoke-lxc-binary-directly.patch
 
 %define lxcver_lower 4.0.3-2022102400
 %define lxcver_upper 4.0.3-2022102500
@@ -106,6 +107,12 @@ rm -rf %{buildroot}
 %{_includedir}/%{_inner_name}/*.h
 
 %changelog
+* Mon Sep 18 2023 jikai<jikai11@huawei.com> - 2.0.9-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:set env to avoid invoke lxc binary directly
+
 * Tue Sep 12 2023 jikai<jikai11@huawei.com> - 2.0.9-6
 - Type:bugfix
 - CVE:NA