From 29273b03842a85bce8314799348231520ceb6e9c Mon Sep 17 00:00:00 2001
From: Dean Deng <deandeng@google.com>
Date: Tue, 29 Oct 2019 10:03:18 -0700
Subject: Disallow execveat on interpreter scripts with fd opened with
 O_CLOEXEC.

When an interpreter script is opened with O_CLOEXEC and the resulting fd is
passed into execveat, an ENOENT error should occur (the script would otherwise
be inaccessible to the interpreter). This matches the actual behavior of
Linux's execveat.

PiperOrigin-RevId: 277306680
---
 pkg/sentry/kernel/kernel.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'pkg/sentry/kernel')

diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go
index fcfe7a16d..e64d648e2 100644
--- a/pkg/sentry/kernel/kernel.go
+++ b/pkg/sentry/kernel/kernel.go
@@ -812,6 +812,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID,
 		ResolveFinal:        true,
 		Filename:            args.Filename,
 		File:                args.File,
+		CloseOnExec:         false,
 		Argv:                args.Argv,
 		Envv:                args.Envv,
 		Features:            k.featureSet,
-- 
cgit v1.2.3