From 1b91df012d0dd0ea78873a40e33d13f5d8b6683e Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Mon, 29 Jul 2024 15:12:55 +0200
Subject: [PATCH] pkg/api: do not leak config pointers into specgen

The value of the pointer might be changed while creating the container
causing unexpected side effects.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 pkg/api/handlers/libpod/containers_create.go |  8 ++++++--
 test/apiv2/25-containersMore.at              | 13 +++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go
index 46fc5a80ef..1df0bb2a40 100644
--- a/pkg/api/handlers/libpod/containers_create.go
+++ b/pkg/api/handlers/libpod/containers_create.go
@@ -27,14 +27,18 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// copy vars here and not leak config pointers into specgen
+	noHosts := conf.Containers.NoHosts
+	privileged := conf.Containers.Privileged
+
 	// we have to set the default before we decode to make sure the correct default is set when the field is unset
 	sg := specgen.SpecGenerator{
 		ContainerNetworkConfig: specgen.ContainerNetworkConfig{
-			UseImageHosts: &conf.Containers.NoHosts,
+			UseImageHosts: &noHosts,
 		},
 		ContainerSecurityConfig: specgen.ContainerSecurityConfig{
 			Umask:      conf.Containers.Umask,
-			Privileged: &conf.Containers.Privileged,
+			Privileged: &privileged,
 		},
 	}
 
diff --git a/test/apiv2/25-containersMore.at b/test/apiv2/25-containersMore.at
index 802997377d..f86194ba86 100644
--- a/test/apiv2/25-containersMore.at
+++ b/test/apiv2/25-containersMore.at
@@ -86,4 +86,17 @@ podman run $IMAGE true
 t POST libpod/containers/prune 200
 t GET libpod/containers/json 200 \
   length=0
+
+# check the config options are not overwritten by acceident
+t POST libpod/containers/create name=test1 image=$IMAGE privileged=true 201
+t GET libpod/containers/test1/json 200 \
+  .HostConfig.Annotations.'"io.podman.annotations.privileged"'="TRUE"
+
+# now the same without privileged it should not inhert the privileged from before
+t POST libpod/containers/create name=test2 image=$IMAGE 201
+t GET libpod/containers/test2/json 200 \
+  .HostConfig.Annotations=null
+
+podman rm test1 test2
+
 # vim: filetype=sh