Open /proc/PID/ns/* read-only to avoid getting permission denied

lxc-enter-namespace stopped working on recent kernels (at least 3.19+)
due to /proc/PID/ns/* file descriptors being opened RW. From outside
the namespace these can only be opened RO.

diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index ab1e039eab65598f594ff9e6e8b6108185998efc..7a7997021248c35ec0e35de6138c227a933f59b5 100644 (file)
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -628,7 +628,7 @@ int virProcessGetNamespaces(pid_t pid,
                         ns[i]) < 0)
             goto cleanup;
 
-        if ((fd = open(nsfile, O_RDWR)) >= 0) {
+        if ((fd = open(nsfile, O_RDONLY)) >= 0) {
             if (VIR_EXPAND_N(*fdlist, *nfdlist, 1) < 0) {
                 VIR_FORCE_CLOSE(fd);
                 goto cleanup;