From 4c7304db85bd4e8ae641ab946a5b3832f24b6eca Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Tue, 25 Jan 2022 20:08:00 +0100
Subject: conf, pasta: Explicitly pass CLONE_{NEWUSER,NEWNET} to setns()

Only allow the intended types of namespaces to be joined via setns()
as a defensive measure.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'util.c')

diff --git a/util.c b/util.c
index d172ad8..7a3ea51 100644
--- a/util.c
+++ b/util.c
@@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
  */
 int ns_enter(struct ctx *c)
 {
-	if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+	if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
 		return -errno;
 
-	if (setns(c->pasta_netns_fd, 0))
+	if (setns(c->pasta_netns_fd, CLONE_NEWNET))
 		return -errno;
 
 	return 0;
-- 
cgit v1.2.3