Browse code
Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.
See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Justin Cormack authored on 2019/07/25 23:24:39Showing 1 changed files
| ... | ... |
@@ -4,13 +4,22 @@ import ( |
| 4 | 4 |
"fmt" |
| 5 | 5 |
"io" |
| 6 | 6 |
"io/ioutil" |
| 7 |
+ "net" |
|
| 7 | 8 |
"os" |
| 9 |
+ "os/user" |
|
| 8 | 10 |
"path/filepath" |
| 9 | 11 |
|
| 10 | 12 |
"github.com/docker/docker/pkg/archive" |
| 11 | 13 |
"github.com/docker/docker/pkg/idtools" |
| 12 | 14 |
) |
| 13 | 15 |
|
| 16 |
+func init() {
|
|
| 17 |
+ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host |
|
| 18 |
+ // environment not in the chroot from untrusted files. |
|
| 19 |
+ _, _ = user.Lookup("docker")
|
|
| 20 |
+ _, _ = net.LookupHost("localhost")
|
|
| 21 |
+} |
|
| 22 |
+ |
|
| 14 | 23 |
// NewArchiver returns a new Archiver which uses chrootarchive.Untar |
| 15 | 24 |
func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
|
| 16 | 25 |
if idMapping == nil {
|