From 7874ab33d499f86d8e7cacf3339f9715b4f84d13 Mon Sep 17 00:00:00 2001
From: quanweiZhou <quanweiZhou@linux.alibaba.com>
Date: Sat, 22 May 2021 16:52:35 +0800
Subject: [PATCH] agent: fix start container failed when dropping all
 capabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.

fixes #1913

Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
(cherry picked from commit 3e4ebe10ac323a15f04a20a22fe7ddd93e99bc0f)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
 src/agent/rustjail/src/container.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs
index 748ee4861c..5113a4826b 100644
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -822,7 +822,7 @@ impl BaseContainer for LinuxContainer {
             if stat::stat(fifo_file.as_str()).is_ok() {
                 return Err(anyhow!("exec fifo exists"));
             }
-            unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o622).unwrap())?;
+            unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o644).unwrap())?;
 
             fifofd = fcntl::open(
                 fifo_file.as_str(),