]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2008796)
don't leak the rootfs.pin fd into the container
authorSerge Hallyn <serge.hallyn@canonical.com>
Thu, 17 Jan 2013 15:53:33 +0000 (09:53 -0600)
committerStéphane Graber <stgraber@ubuntu.com>
Mon, 21 Jan 2013 21:22:37 +0000 (16:22 -0500)
Only the container parent needs to keep that fd open.  Close it
as soon as the container's first task is spawned.  Else it can
show up in /proc/$$/fd in the container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
src/lxc/start.c patch | blob | blame | history
src/lxc/start.h patch | blob | blame | history

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 90696f605275abf31abf212129323bdb367c9983..5083b24c9209651d45378ee7dc37a261c8e038c6 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -575,6 +575,9 @@ static int do_start(void *data)
 
        lxc_sync_fini_parent(handler);
 
+       /* don't leak the pinfd to the container */
+       close(handler->pinfd);
+
        /* Tell the parent task it can begin to configure the
         * container and wait for it to finish
         */
@@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler)
 {
        int failed_before_rename = 0;
        const char *name = handler->name;
-       int pinfd;
 
        if (lxc_sync_init(handler))
                return -1;
@@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler)
         * marking it readonly.
         */
 
-       pinfd = pin_rootfs(handler->conf->rootfs.path);
-       if (pinfd == -1) {
+       handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
+       if (handler->pinfd == -1) {
                ERROR("failed to pin the container's rootfs");
                goto out_abort;
        }
@@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler)
 
        lxc_sync_fini(handler);
 
-       if (pinfd >= 0)
-               close(pinfd);
+       if (handler->pinfd >= 0)
+               close(handler->pinfd);
 
        return 0;
 
diff --git a/src/lxc/start.h b/src/lxc/start.h
index 4b2e2b54e16da4645373f954f510010b5d14a211..27688f386e00f357fbe106742d5b2325e6b64c28 100644 (file)
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -49,6 +49,7 @@ struct lxc_handler {
 #if HAVE_APPARMOR
        int aa_enabled;
 #endif
+       int pinfd;
 };
 
 extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
Mirror of https://github.com/lxc/lxc.git