includeExecFifo opens the container's execfifo as a pathfd, so that the container cannot access the statedir (and the FIFO itself remains un-opened). It then adds the FifoFd to the given exec.Cmd as an inherited fd, with _LIBCONTAINER_FIFOFD set to its fd number.
(cmd *exec.Cmd)
| 480 | // un-opened). It then adds the FifoFd to the given exec.Cmd as an inherited |
| 481 | // fd, with _LIBCONTAINER_FIFOFD set to its fd number. |
| 482 | func (c *Container) includeExecFifo(cmd *exec.Cmd) error { |
| 483 | fifoName := filepath.Join(c.stateDir, execFifoFilename) |
| 484 | fifo, err := os.OpenFile(fifoName, unix.O_PATH|unix.O_CLOEXEC, 0) |
| 485 | if err != nil { |
| 486 | return err |
| 487 | } |
| 488 | c.fifo = fifo |
| 489 | |
| 490 | cmd.ExtraFiles = append(cmd.ExtraFiles, fifo) |
| 491 | cmd.Env = append(cmd.Env, |
| 492 | "_LIBCONTAINER_FIFOFD="+strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1)) |
| 493 | return nil |
| 494 | } |
| 495 | |
| 496 | func (c *Container) newParentProcess(p *Process) (parentProcess, error) { |
| 497 | comm, err := newProcessComm() |