From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 2 Feb 2021 21:41:40 +0000 (+0100)
Subject: attach: explicitly close seccomp notifier fd
X-Git-Tag: lxc-5.0.0~305^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5bac50665e0b23a6aa3fc6e52ad8ab3abfc97e6;p=thirdparty%2Flxc.git

attach: explicitly close seccomp notifier fd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index ee18bfa3e..dac1a93c6 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1208,6 +1208,7 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
 		if (ret < 0)
 			goto on_error;
+		lxc_seccomp_close_notifier_fd(&conf->seccomp);
 	}
 
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h
index 2e9bda5a4..33b50f5d3 100644
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@@ -91,6 +91,14 @@ __hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, in
 __hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
 __hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 					     struct lxc_seccomp *seccomp);
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	if (seccomp->notifier.wants_supervision)
+		close_prot_errno_disarm(seccomp->notifier.notify_fd);
+#endif
+}
+
 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 {
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
@@ -162,5 +170,9 @@ static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 	return -EBADF;
 }
 
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+}
+
 #endif /* HAVE_SECCOMP */
 #endif /* __LXC_LXCSECCOMP_H */
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 94d33d26d..72cbb530a 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1638,7 +1638,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
 int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 			     struct lxc_seccomp *seccomp)
 {
-
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 	if (seccomp->notifier.wants_supervision) {
 		int ret;