test

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
cri-o · Apr 18, 2024 · f6c46db · f6c46db
1 parent bc14210
commit f6c46db
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -200,7 +200,7 @@ linters-settings:
       # - filepathJoin
       # - whyNoLint
   gocyclo:
-    min-complexity: 165
+    min-complexity: 170
   nakedret:
     max-func-lines: 15
   goconst:

diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -758,16 +758,25 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont
 		ctr.DisableFips(),
 	)
 	if ctr.DisableFips() {
-		// Add a mount to override and disable the crypto.fips_enabled sysctl inside the container
-		options := []string{"noexec", "nosuid", "nodev", "ro"}
-		sysctlData := []byte("0\n")
-		sysctlMount := rspec.Mount{
+		// Create a temporary file to store the value to be written to /proc/sys/crypto/fips_enabled
+		tmpFile, err := os.CreateTemp("", "tmpfips-")
+		if err != nil {
+			return nil, err
+		}
+		defer os.Remove(tmpFile.Name())
+
+		// Write the value to the temporary file
+		if _, err := tmpFile.WriteString("0\n"); err != nil {
+			return nil, err
+		}
+
+		// Create the tmpfs mount
+		secretMounts = append(secretMounts, rspec.Mount{
 			Destination: "/proc/sys/crypto/fips_enabled",
-			Source:      "tmpfs",
+			Source:      tmpFile.Name(),
 			Type:        "tmpfs",
-			Options:     append(options, fmt.Sprintf("mode=0644,data=%s", sysctlData)),
-		}
-		secretMounts = append(secretMounts, sysctlMount)
+			Options:     []string{"noexec", "nosuid", "nodev", "ro"},
+		})
 	}
 
 	mounts := []rspec.Mount{}