Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Only allow host openat(2) syscalls with O_NOFOLLOW with directfs.
Updates the directfs seccomp filters to ensure that all openat(2) host syscalls have O_NOFOLLOW bit set. This would ensure that we don't follow a symlink in the host filesystem by mistake. The gofer client currently always uses O_NOFOLLOW. But this will help prevent any malicious usage of openat(2) if the sandbox is compromised somehow. The container filesystem is well-isolated from the host filesystems using pivot_root(2). So following a host symlink from sandbox context should still not escape the container. But this provides an additional layer of security. PiperOrigin-RevId: 523839219
- Loading branch information