diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index e03ab634b2d..92c6ef77030 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -150,11 +150,6 @@ func (l *linuxSetnsInit) Init() error { // (otherwise the (*os.File) finaliser could close the wrong file). See // CVE-2024-21626 for more information as to why this protection is // necessary. - // - // This is not needed for runc-dmz, because the extra execve(2) step means - // that all O_CLOEXEC file descriptors have already been closed and thus - // the second execve(2) from runc-dmz cannot access internal file - // descriptors from runc. if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { return err } diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 4631f249ee2..9f7fa45d533 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -284,11 +284,6 @@ func (l *linuxStandardInit) Init() error { // (otherwise the (*os.File) finaliser could close the wrong file). See // CVE-2024-21626 for more information as to why this protection is // necessary. - // - // This is not needed for runc-dmz, because the extra execve(2) step means - // that all O_CLOEXEC file descriptors have already been closed and thus - // the second execve(2) from runc-dmz cannot access internal file - // descriptors from runc. if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { return err }