From 3e4ebe10ac323a15f04a20a22fe7ddd93e99bc0f Mon Sep 17 00:00:00 2001
From: quanweiZhou <quanweiZhou@linux.alibaba.com>
Date: Sat, 22 May 2021 16:52:35 +0800
Subject: [PATCH] agent: fix start container failed when dropping all
 capabilities

When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.

fixes #1913

Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
---
 src/agent/rustjail/src/container.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs
index f55878ce1..f74773ccd 100644
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -820,7 +820,7 @@ impl BaseContainer for LinuxContainer {
             if stat::stat(fifo_file.as_str()).is_ok() {
                 return Err(anyhow!("exec fifo exists"));
             }
-            unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o622).unwrap())?;
+            unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o644).unwrap())?;
 
             fifofd = fcntl::open(
                 fifo_file.as_str(),