merge opencontainers#4444 into opencontainers/runc:main

lifubang (1): dmz: cloned binary: set +x permissions when creating regular tmpfile LGTMs: kolyshkin cyphar
lifubang · Oct 15, 2024 · d82235c · d82235c
2 parents 798ba5c + 9fa324c
commit d82235c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/libcontainer/dmz/cloned_binary_linux.go b/libcontainer/dmz/cloned_binary_linux.go
@@ -64,9 +64,6 @@ func Memfd(comment string) (*os.File, SealFunc, error) {
 }
 
 func sealFile(f **os.File) error {
-	if err := (*f).Chmod(0o511); err != nil {
-		return err
-	}
 	// When sealing an O_TMPFILE-style descriptor we need to
 	// re-open the path as O_PATH to clear the existing write
 	// handle we have.
@@ -108,6 +105,9 @@ func mktemp(dir string) (*os.File, SealFunc, error) {
 	if err := os.Remove(file.Name()); err != nil {
 		return nil, nil, fmt.Errorf("unlinking classic tmpfile: %w", err)
 	}
+	if err := file.Chmod(0o511); err != nil {
+		return nil, nil, fmt.Errorf("chmod classic tmpfile: %w", err)
+	}
 	var stat unix.Stat_t
 	if err := unix.Fstat(int(file.Fd()), &stat); err != nil {
 		return nil, nil, fmt.Errorf("cannot fstat classic tmpfile: %w", err)