jailer: Use O_NOFOLLOW for cgroup and netns file operations

ilstam · ilstam · commit 112bc89c3a30 · 2026-04-02T16:48:02.000+01:00
Open cgroup files in writeln_special()/readln_special() and the
network namespace file in join_netns() with O_NOFOLLOW, consistent
with the existing pattern used for the exec file copy in env.rs.

Signed-off-by: Ilias Stamatis &lt;ilstam@amazon.com&gt;
diff --git a/src/jailer/src/env.rs b/src/jailer/src/env.rs
@@ -519,8 +519,11 @@ impl Env {
 
     fn join_netns(path: &str) -> Result<(), JailerError> {
         // The fd backing the file will be automatically dropped at the end of the scope
-        let netns =
-            File::open(path).map_err(|err| JailerError::FileOpen(PathBuf::from(path), err))?;
+        let netns = OpenOptions::new()
+            .read(true)
+            .custom_flags(libc::O_NOFOLLOW)
+            .open(path)
+            .map_err(|err| JailerError::FileOpen(PathBuf::from(path), err))?;
 
         // SAFETY: Safe because we are passing valid parameters.
         SyscallReturnCode(unsafe { libc::setns(netns.as_raw_fd(), libc::CLONE_NEWNET) })
diff --git a/src/jailer/src/main.rs b/src/jailer/src/main.rs
@@ -3,6 +3,9 @@
 
 use std::ffi::{CString, NulError, OsString};
 use std::fmt::{Debug, Display};
+use std::fs::OpenOptions;
+use std::io::Read;
+use std::os::unix::fs::OpenOptionsExt;
 use std::path::{Path, PathBuf};
 use std::{env as p_env, fs, io};
 
@@ -240,12 +243,24 @@ where
     T: AsRef<Path> + Debug,
     V: Display + Debug,
 {
-    fs::write(file_path, format!("{}\n", value))
+    let mut file = OpenOptions::new()
+        .write(true)
+        .truncate(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(file_path.as_ref())
+        .map_err(|err| JailerError::Write(PathBuf::from(file_path.as_ref()), err))?;
+    io::Write::write_all(&mut file, format!("{}\n", value).as_bytes())
         .map_err(|err| JailerError::Write(PathBuf::from(file_path.as_ref()), err))
 }
 
 pub fn readln_special<T: AsRef<Path> + Debug>(file_path: &T) -> Result<String, JailerError> {
-    let mut line = fs::read_to_string(file_path)
+    let mut file = OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(file_path.as_ref())
+        .map_err(|err| JailerError::ReadToString(PathBuf::from(file_path.as_ref()), err))?;
+    let mut line = String::new();
+    file.read_to_string(&mut line)
         .map_err(|err| JailerError::ReadToString(PathBuf::from(file_path.as_ref()), err))?;
 
     // Remove the newline character at the end (if any).
