From 092824889d7054cafa04652c40cc9a258911103b Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 7 Jan 2022 14:12:41 +0100 Subject: [PATCH] accept negative file descriptors since for instance mknodat(-1, ...) may be used to explicitly prevent relative paths we need to pass those along instead of immediately failing with EINVAL Signed-off-by: Wolfgang Bumiller --- src/lxcseccomp.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lxcseccomp.rs b/src/lxcseccomp.rs index 76df0e4..273f3c9 100644 --- a/src/lxcseccomp.rs +++ b/src/lxcseccomp.rs @@ -397,7 +397,12 @@ impl ProxyMessageBuffer { /// Checked way to get a file descriptor argument. #[inline] pub fn arg_fd(&self, arg: u32, flags: c_int) -> Result { - let fd = RawFd::try_from(self.arg(arg)?).map_err(|_| Error::from(Errno::EINVAL))?; + let fd = self.arg(arg)? as RawFd; + if fd < 0 { + // we pass those "as-is' to syscalls. + return Ok(Fd(fd)); + } + // otherwise we'll open them from the process: if fd == libc::AT_FDCWD { Ok(self.pid_fd().fd_cwd()?) } else {