Skip to content

Comments

fix(bwrap): honor namespace fd 0#731

Open
danielchristiancazares wants to merge 1 commit intocontainers:mainfrom
danielchristiancazares:fix/namespace-fd-zero-handling
Open

fix(bwrap): honor namespace fd 0#731
danielchristiancazares wants to merge 1 commit intocontainers:mainfrom
danielchristiancazares:fix/namespace-fd-zero-handling

Conversation

@danielchristiancazares
Copy link

Summary

  • treat namespace FDs consistently using the -1 sentinel check
  • accept fd

Use -1 sentinel checks for --userns, --userns2, and --pidns so fd 0 is treated as a valid descriptor consistently.

/* Switch to the custom user ns before the clone, gets us privs in that ns (assuming its a child of the current and thus allowed) */
if (opt_userns_fd > 0 && setns (opt_userns_fd, CLONE_NEWUSER) != 0)
if (opt_userns_fd != -1 && setns (opt_userns_fd, CLONE_NEWUSER) != 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use >= 0 because this really is what makes the fd valid.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every other check uses != -1. Unexpected invalid fds failing loudly seems like an upside.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants