attach: close lsm label file descriptor

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 285ef4d245bf534c663bc45f518c3915be072338..e16d3d7dcf73e88a50006ada2f9113a054190378 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -941,7 +941,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 
                /* Open LSM fd and send it to child. */
                if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) {
-                       int on_exec, labelfd;
+                       int on_exec;
+                       int labelfd = -1;
                        on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
                        /* Open fd for the LSM security module. */
                        labelfd = lsm_openat(procfd, attached_pid, on_exec);
@@ -950,6 +951,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 
                        /* Send child fd of the LSM security module to write to. */
                        ret = lxc_abstract_unix_send_fd(ipc_sockets[0], labelfd, NULL, 0);
+                       close(labelfd);
                        if (ret <= 0) {
                                ERROR("Error using IPC to send child LSM fd (4): %s.",
                                                strerror(errno));
@@ -957,6 +959,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
                        }
                }
 
+               if (procfd >= 0)
+                       close(procfd);
                /* now shut down communication with child, we're done */
                shutdown(ipc_sockets[0], SHUT_RDWR);
                close(ipc_sockets[0]);