test

cri-o · Apr 18, 2024 · 8fb2aef · 8fb2aef
1 parent bc14210
commit 8fb2aef
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -758,16 +758,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont
 		ctr.DisableFips(),
 	)
 	if ctr.DisableFips() {
-		// Add a mount to override and disable the crypto.fips_enabled sysctl inside the container
-		options := []string{"noexec", "nosuid", "nodev", "ro"}
-		sysctlData := []byte("0\n")
-		sysctlMount := rspec.Mount{
+		// Create a temporary file to store the value to be written to /proc/sys/crypto/fips_enabled
+		tmpFile, err := os.CreateTemp("", "tmpfips-")
+		if err != nil {
+			return nil, err
+		}
+		defer os.Remove(tmpFile.Name())
+
+		// Write the value to the temporary file
+		if _, err := tmpFile.WriteString("0\n"); err != nil {
+			return nil, err
+		}
+
+		// Create the tmpfs mount
+		secretMounts = append(secretMounts, rspec.Mount{
 			Destination: "/proc/sys/crypto/fips_enabled",
-			Source:      "tmpfs",
+			Source:      tmpFile.Name(),
 			Type:        "tmpfs",
-			Options:     append(options, fmt.Sprintf("mode=0644,data=%s", sysctlData)),
-		}
-		secretMounts = append(secretMounts, sysctlMount)
+			Options:     []string{"noexec", "nosuid", "nodev", "ro"},
+		})
 	}
 
 	mounts := []rspec.Mount{}