colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: pasta: fix to not keep the non-sandboxed file open after exec'ing into the user program

Browse Source
This commit is contained in:
Colin
2025-01-06 03:00:35 +00:00
parent 7f069b0f23
commit d3a3231861
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/by-name/bunpen/restrict/pasta.ha
View File

@@ -36,7 +36,10 @@ fn pasta_restrict(net: resources::net_subset) void = {
// grab a handle to the namespaces of the primary process.
// then we can fork, unshare net (in parent) and refer to that unshared netns
// in the child (pasta) via ${ns_fd}/net.
let ns_fd = errors::ext::check_int("setup_pasta: open /proc/self/ns", rt::open("/proc/self/ns", rt::O_RDONLY, 0o400));
let ns_fd = errors::ext::check_int(
"setup_pasta: open /proc/self/ns",
rt::open("/proc/self/ns", rt::O_RDONLY | rt::O_CLOEXEC, 0o400),
);
let (pipe_parent_rd, pipe_child_wr) = unix::pipe()!;
let (pipe_child_rd, pipe_parent_wr) = unix::pipe()!;