From ac0e25d39dc0eaaf492ea626e1c1bbf3b5f2999f Mon Sep 17 00:00:00 2001
From: jake <jikai11@huawei.com>
Date: Mon, 18 Sep 2023 11:08:22 +0000
Subject: [PATCH 8/8] !266 set env to avoid invoke lxc binary directly * set
 env to avoid invoke lxc binary directly

---
 src/runtime/lcrcontainer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/runtime/lcrcontainer.c b/src/runtime/lcrcontainer.c
index 4270902..ad6dc66 100644
--- a/src/runtime/lcrcontainer.c
+++ b/src/runtime/lcrcontainer.c
@@ -289,6 +289,12 @@ bool lcr_start(const struct lcr_start_request *request)
         close(pipefd[0]);
         dup2(pipefd[1], 2);
 
+        // should set LXC_MEMFD_REXEC=1 before lxc_start
+        // to improve the security of launching containers
+        if (setenv("LXC_MEMFD_REXEC", "1", true) != 0) {
+            exit(1);
+        }
+
         execute_lxc_start(request->name, path, request);
     }
 
-- 
2.34.1