This is more secure than tempnam(). Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com> --- src/lxc/lxccontainer.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 5b96b8c..8424cf6 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -4128,12 +4128,30 @@ out_unlock: static void do_restore(struct lxc_container *c, int pipe, char *directory, bool verbose) { pid_t pid; - char pidfile[L_tmpnam]; + char pidfile[sizeof(P_tmpdir) + 25]; struct lxc_handler *handler; - int status; + int status, ret; + + ret = snprintf(pidfile, sizeof(pidfile), "%s/lxc_criu_pidfile.XXXXXX", P_tmpdir); + if (ret < 0 || ret >= sizeof(pidfile)) + goto out; + + /* + * Here, we simply use mkstemp to acquire a secure tmpfile name. CRIU + * tries to create the pidfile with O_CREAT | O_EXCL, so we need to + * remove it before calling criu. + */ + ret = mkstemp(pidfile); + if (ret < 0) { + SYSERROR("failed to create pidfile"); + goto out; + } - if (!tmpnam(pidfile)) + close(ret); + if (remove(pidfile) < 0) { + SYSERROR("failed to remove pidfile"); goto out; + } handler = lxc_init(c->name, c->lxc_conf, c->config_path); if (!handler) @@ -4231,6 +4249,12 @@ static void do_restore(struct lxc_container *c, int pipe, char *directory, bool ret = fscanf(f, "%d", (int*) &handler->pid); fclose(f); + + if (remove(pidfile) < 0) { + SYSERROR("failed to remove pidfile"); + goto out_fini_handler; + } + if (ret != 1) { ERROR("reading restore pid failed"); goto out_fini_handler; -- 2.1.4 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel