attach: explicitly close seccomp notifier fd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index ee18bfa3ebc34bd0fc7f333990736e461c042792..dac1a93c6200fe34397a79d5ace2c885844fe07c 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1208,6 +1208,7 @@ __noreturn static void do_attach(struct attach_payload *ap)
                ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
                if (ret < 0)
                        goto on_error;
+               lxc_seccomp_close_notifier_fd(&conf->seccomp);
        }
 
        if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))

diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h
index 2e9bda5a4318631a90f5d53b65ad6b1f1630be58..33b50f5d3f1ab8e0e3d035068183899070e7ea3b 100644 (file)
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@@ -91,6 +91,14 @@ __hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, in
 __hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
 __hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
                                             struct lxc_seccomp *seccomp);
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+       if (seccomp->notifier.wants_supervision)
+               close_prot_errno_disarm(seccomp->notifier.notify_fd);
+#endif
+}
+
 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 {
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
@@ -162,5 +170,9 @@ static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
        return -EBADF;
 }
 
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+}
+
 #endif /* HAVE_SECCOMP */
 #endif /* __LXC_LXCSECCOMP_H */

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 94d33d26d8f17787df39c7a06c1ff9acbdb16ea5..72cbb530ade52dab530682f99c2d648c11fbaab6 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1638,7 +1638,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
 int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
                             struct lxc_seccomp *seccomp)
 {
-
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
        if (seccomp->notifier.wants_supervision) {
                int ret;