Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Commit

Permalink
3206: Protect against CNI plugin being called with the host namespace
Browse files Browse the repository at this point in the history
adding a check to verify if network namespace is not host network namespace

Fixes #3206
  • Loading branch information
murali-reddy committed Jul 16, 2018
1 parent 58eaf19 commit c3d820f
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions plugin/net/cni.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,16 @@ func (c *CNIPlugin) CmdAdd(args *skel.CmdArgs) error {
}
defer ns.Close()

hostNs, err := netns.Get()
if err != nil {
return fmt.Errorf("error accessing host network namespace: %s", err)
}
defer hostNs.Close()

if ns.Equal(hostNs) {
return fmt.Errorf("can not specify host network namespace as network namespace to which container should be added.")
}

id := args.ContainerID
if len(id) < 5 {
data := make([]byte, 5)
Expand Down

0 comments on commit c3d820f

Please sign in to comment.