From 9fa324c4796479555c3ebb8a9fb8ad396815e893 Mon Sep 17 00:00:00 2001 From: lifubang Date: Sun, 13 Oct 2024 20:07:56 +0800 Subject: [PATCH] dmz: cloned binary: set +x permissions when creating regular tmpfile While we did set +x when "sealing" regular temporary files, the "is executable" checks were done before then and would thus fail, causing the fallback to not work properly. So just set +x after we create the file. We already have a O_RDWR handle open when we do the chmod so we won't get permission issues when writing to the file. Fixes: e089db3b4a31 ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()") Signed-off-by: lifubang --- libcontainer/dmz/cloned_binary_linux.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libcontainer/dmz/cloned_binary_linux.go b/libcontainer/dmz/cloned_binary_linux.go index db5e18a3260..3d732d3f98a 100644 --- a/libcontainer/dmz/cloned_binary_linux.go +++ b/libcontainer/dmz/cloned_binary_linux.go @@ -64,9 +64,6 @@ func Memfd(comment string) (*os.File, SealFunc, error) { } func sealFile(f **os.File) error { - if err := (*f).Chmod(0o511); err != nil { - return err - } // When sealing an O_TMPFILE-style descriptor we need to // re-open the path as O_PATH to clear the existing write // handle we have. @@ -108,6 +105,9 @@ func mktemp(dir string) (*os.File, SealFunc, error) { if err := os.Remove(file.Name()); err != nil { return nil, nil, fmt.Errorf("unlinking classic tmpfile: %w", err) } + if err := file.Chmod(0o511); err != nil { + return nil, nil, fmt.Errorf("chmod classic tmpfile: %w", err) + } var stat unix.Stat_t if err := unix.Fstat(int(file.Fd()), &stat); err != nil { return nil, nil, fmt.Errorf("cannot fstat classic tmpfile: %w", err)