From 96f914295920404e7c5c97553771e09b31f6900a Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Fri, 10 Apr 2020 15:46:16 -0700
Subject: Use O_CLOEXEC when dup'ing FDs

The sentry doesn't allow execve, but it's a good defense
in-depth measure.

PiperOrigin-RevId: 305958737
---
 runsc/boot/filter/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'runsc/boot')

diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 06b9f888a..1828d116a 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -44,7 +44,7 @@ var allowedSyscalls = seccomp.SyscallRules{
 		{
 			seccomp.AllowAny{},
 			seccomp.AllowAny{},
-			seccomp.AllowValue(0),
+			seccomp.AllowValue(syscall.O_CLOEXEC),
 		},
 	},
 	syscall.SYS_EPOLL_CREATE1: {},
-- 
cgit v1.2.3