31 lines
926 B
Diff
31 lines
926 B
Diff
From ac0e25d39dc0eaaf492ea626e1c1bbf3b5f2999f Mon Sep 17 00:00:00 2001
|
|
From: jake <jikai11@huawei.com>
|
|
Date: Mon, 18 Sep 2023 11:08:22 +0000
|
|
Subject: [PATCH 8/8] !266 set env to avoid invoke lxc binary directly * set
|
|
env to avoid invoke lxc binary directly
|
|
|
|
---
|
|
src/runtime/lcrcontainer.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/runtime/lcrcontainer.c b/src/runtime/lcrcontainer.c
|
|
index 4270902..ad6dc66 100644
|
|
--- a/src/runtime/lcrcontainer.c
|
|
+++ b/src/runtime/lcrcontainer.c
|
|
@@ -289,6 +289,12 @@ bool lcr_start(const struct lcr_start_request *request)
|
|
close(pipefd[0]);
|
|
dup2(pipefd[1], 2);
|
|
|
|
+ // should set LXC_MEMFD_REXEC=1 before lxc_start
|
|
+ // to improve the security of launching containers
|
|
+ if (setenv("LXC_MEMFD_REXEC", "1", true) != 0) {
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
execute_lxc_start(request->name, path, request);
|
|
}
|
|
|
|
--
|
|
2.34.1
|
|
|