From 531d36ad009325b74a105d9d6956e320f37b2937 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 3 Feb 2021 09:48:25 +0100
Subject: [PATCH] rexec: mark all fds as close-on-exec if possible

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/macro.h | 2 ++
 src/lxc/rexec.c | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 22f755fa4..bb8be340f 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -672,4 +672,6 @@ enum {
 
 #define ENOCGROUP2 ENOMEDIUM
 
+#define MAX_FILENO ~0U
+
 #endif /* __LXC_MACRO_H */
diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
index ba5cc0fe8..501aeedb7 100644
--- a/src/lxc/rexec.c
+++ b/src/lxc/rexec.c
@@ -162,6 +162,9 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 	if (execfd < 0)
 		return;
 
+	ret = close_range(STDERR_FILENO, MAX_FILENO, CLOSE_RANGE_CLOEXEC);
+	if (ret && (errno != ENOSYS && errno != EINVAL))
+		fprintf(stderr, "%m - Failed to mark all file descriptors as close-on-exec\n");
 	fexecve(execfd, argv, envp);
 }
 
-- 
2.47.2