conf: restrict open of dev/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: restrict open of dev/
ce011f53 · Christian Brauner · fdf7314d · ce011f53
Unverified Commit ce011f53 authored Feb 03, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

conf.c src/lxc/conf.c +2 -2

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3334,8 +3334,8 @@ int lxc_setup(struct lxc_handler *handler)
 			return log_error(-1, "Failed to mount \"/dev\"");
 	}
-	lxc_conf->rootfs.dev_mntpt_fd = openat(lxc_conf->rootfs.mntpt_fd, "dev",
+	lxc_conf->rootfs.dev_mntpt_fd = open_at(lxc_conf->rootfs.mntpt_fd, "dev",
-						O_RDONLY | O_CLOEXEC | O_DIRECTORY | O_NOFOLLOW);
+					        PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV, 0);
 	if (lxc_conf->rootfs.dev_mntpt_fd < 0 && errno != ENOENT)
 		return log_error_errno(-errno, errno, "Failed to open \"/dev\"");