From: Serge Hallyn Date: Thu, 17 Jan 2013 15:53:33 +0000 (-0600) Subject: don't leak the rootfs.pin fd into the container X-Git-Tag: lxc-0.9.0.alpha3~1^2~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b0e17e48f4f55ddfcde74d1f00932837fa2cfda;p=thirdparty%2Flxc.git don't leak the rootfs.pin fd into the container Only the container parent needs to keep that fd open. Close it as soon as the container's first task is spawned. Else it can show up in /proc/$$/fd in the container. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/src/lxc/start.c b/src/lxc/start.c index 90696f605..5083b24c9 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -575,6 +575,9 @@ static int do_start(void *data) lxc_sync_fini_parent(handler); + /* don't leak the pinfd to the container */ + close(handler->pinfd); + /* Tell the parent task it can begin to configure the * container and wait for it to finish */ @@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler) { int failed_before_rename = 0; const char *name = handler->name; - int pinfd; if (lxc_sync_init(handler)) return -1; @@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler) * marking it readonly. */ - pinfd = pin_rootfs(handler->conf->rootfs.path); - if (pinfd == -1) { + handler->pinfd = pin_rootfs(handler->conf->rootfs.path); + if (handler->pinfd == -1) { ERROR("failed to pin the container's rootfs"); goto out_abort; } @@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler) lxc_sync_fini(handler); - if (pinfd >= 0) - close(pinfd); + if (handler->pinfd >= 0) + close(handler->pinfd); return 0; diff --git a/src/lxc/start.h b/src/lxc/start.h index 4b2e2b54e..27688f386 100644 --- a/src/lxc/start.h +++ b/src/lxc/start.h @@ -49,6 +49,7 @@ struct lxc_handler { #if HAVE_APPARMOR int aa_enabled; #endif + int pinfd; }; extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);