From 66ac902118e1902b56f1fbbe82f9d4052c53cd65 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 7 Jan 2020 16:06:22 +0100
Subject: [PATCH] conmon: chmod std files pipes

make sure every user inside of the container can use the standard
files.  Without the chmod, only root in the container would be able to
print to stdout.

It went unnoticed with runc, as runc itself corrects these permissions
but it should not be the OCI runtime responsibility since conmon is
creating these files.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1786449

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/conmon.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/conmon.c b/src/conmon.c
index 4f2b4a2c..abd82978 100644
--- a/src/conmon.c
+++ b/src/conmon.c
@@ -1547,16 +1547,22 @@ int main(int argc, char *argv[])
 			slavefd_stdin = dev_null_r;
 		if (dup2(slavefd_stdin, STDIN_FILENO) < 0)
 			pexit("Failed to dup over stdin");
+		if (fchmod(STDIN_FILENO, 0777) < 0)
+			nwarn("Failed to chown stdin");
 
 		if (slavefd_stdout < 0)
 			slavefd_stdout = dev_null_w;
 		if (dup2(slavefd_stdout, STDOUT_FILENO) < 0)
 			pexit("Failed to dup over stdout");
+		if (fchmod(STDOUT_FILENO, 0777) < 0)
+			nwarn("Failed to chown stdout");
 
 		if (slavefd_stderr < 0)
 			slavefd_stderr = slavefd_stdout;
 		if (dup2(slavefd_stderr, STDERR_FILENO) < 0)
 			pexit("Failed to dup over stderr");
+		if (fchmod(STDERR_FILENO, 0777) < 0)
+			nwarn("Failed to chown stdout");
 
 		/* If LISTEN_PID env is set, we need to set the LISTEN_PID
 		   it to the new child process */