3b4b08f18a
Signed-off-by: jikai <jikai11@huawei.com> (cherry picked from commit 0a5748543c47e895a44afbc57de2d1ad6f9063d9)
31 lines
888 B
Diff
31 lines
888 B
Diff
From 235048833fbd12ddb19dee74df5a13a26bfe5e6b Mon Sep 17 00:00:00 2001
|
|
From: jake <jikai11@huawei.com>
|
|
Date: Mon, 18 Sep 2023 11:07:42 +0000
|
|
Subject: [PATCH 12/22] !265 set env to avoid invoke lxc binary directly * set
|
|
env to avoid invoke lxc binary directly
|
|
|
|
---
|
|
src/lcrcontainer.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/lcrcontainer.c b/src/lcrcontainer.c
|
|
index f65f570..5c69c8e 100644
|
|
--- a/src/lcrcontainer.c
|
|
+++ b/src/lcrcontainer.c
|
|
@@ -290,6 +290,12 @@ bool lcr_start(const struct lcr_start_request *request)
|
|
close(pipefd[0]);
|
|
dup2(pipefd[1], 2);
|
|
|
|
+ // should set LXC_MEMFD_REXEC=1 before lxc_start
|
|
+ // to improve the security of launching containers
|
|
+ if (setenv("LXC_MEMFD_REXEC", "1", true) != 0) {
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
execute_lxc_start(request->name, path, request);
|
|
}
|
|
|
|
--
|
|
2.34.1
|
|
|