From 538aa7168fca1adf2ecd0aa4a47e6b8856275f55 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Kriszti=C3=A1n=20Kov=C3=A1cs=20=28kkovacs=29?=
 <Krisztian.Kovacs@oneidentity.com>
Date: Fri, 20 Sep 2019 14:48:19 +0000
Subject: [PATCH] BUG/MEDIUM: namespace: fix fd leak in master-worker mode

When namespaces are used in the configuration, the respective namespace handles
are opened during config parsing and stored in an ebtree for lookup later.

Unfortunately, when the master process re-execs itself these file descriptors
were not closed, effectively leaking the fds and preventing destruction of
namespaces no longer present in the configuration.

This change fixes this issue by opening the namespace file handles as
close-on-exec, making sure that they will be closed during re-exec.
---
 src/namespace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/namespace.c b/src/namespace.c
index 8a2e5a7b12..cfb81ba0f9 100644
--- a/src/namespace.c
+++ b/src/namespace.c
@@ -24,7 +24,7 @@ static int open_named_namespace(const char *ns_name)
 {
 	if (chunk_printf(&trash, "/var/run/netns/%s", ns_name) < 0)
 		return -1;
-	return open(trash.area, O_RDONLY);
+	return open(trash.area, O_RDONLY | O_CLOEXEC);
 }
 
 static int default_namespace = -1;
@@ -33,7 +33,7 @@ static int init_default_namespace()
 {
 	if (chunk_printf(&trash, "/proc/%d/ns/net", getpid()) < 0)
 		return -1;
-	default_namespace = open(trash.area, O_RDONLY);
+	default_namespace = open(trash.area, O_RDONLY | O_CLOEXEC);
 	return default_namespace;
 }
 
-- 
2.47.3