attach: be paranoid about file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 9b79158603569669be186817f08fa51970bf3ea2..f1700da4f434960a501dfffa66c99ed0d812466d 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1657,6 +1657,13 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
                TRACE("Moved transient process %d into container cgroup", pid);
        }
 
+       /*
+        * Close sensitive file descriptors we don't need anymore. Even if
+        * we're the parent.
+        */
+       if (!attach_context_security_barrier(ctx))
+               goto on_error;
+
        /* Setup /proc limits */
        if (!lxc_list_empty(&conf->procs)) {
                ret = setup_proc_filesystem(&conf->procs, pid);