From 960607a4cd0c2672f28aaeab511770370c547a2c Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Mon, 4 Jan 2021 14:36:41 -0500 Subject: [PATCH] Ensure we do not edit container config in Exec The existing code grabs the base container's process, and then modifies it for use with the exec session. This could cause errors in `podman inspect` or similar on the container, as the definition of its OCI spec has been changed by the exec session. The change never propagates to the DB, so it's limited to a single process, but we should still avoid it when possible - so deep-copy it before use. Signed-off-by: Matthew Heon --- libpod/oci_conmon_linux.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 199b400979..f1220f3996 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1190,7 +1190,10 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio if err != nil { return nil, err } - pspec := c.config.Spec.Process + pspec := new(spec.Process) + if err := JSONDeepCopy(c.config.Spec.Process, pspec); err != nil { + return nil, err + } pspec.SelinuxLabel = c.config.ProcessLabel pspec.Args = options.Cmd for _, cap := range options.CapAdd {