From f017e0f9e16459fdbe93bb24fcd78586fe0ec748 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <rstoyanov1@gmail.com>
Date: Sat, 12 Oct 2019 19:25:53 +0100
Subject: [PATCH] checkpoint: Set descriptors.json file mode to 0600

Prevent unprivileged users from being able to read descriptors.json

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
---
 libcontainer/container_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 6ff4d96a..197a4c04 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1111,7 +1111,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 			return err
 		}
 
-		err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0655)
+		err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0600)
 		if err != nil {
 			return err
 		}