Use O_CLOEXEC on mount files, and close them early

Signed-off-by: Alban Crequy <[email protected]>

libcontainer/init_linux.go

@@ -85,6 +85,14 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd
 	}
 	switch t {
 	case initSetns:
+		// mountFiles is not needed in the setns case: close them all
+		for _, m := range mountFiles {
+			if m == nil {
+				continue
+			}
+			m.Close()
+		}
+
 		return &linuxSetnsInit{
 			pipe:          pipe,
 			consoleSocket: consoleSocket,

libcontainer/nsenter/nsexec.c

@@ -623,7 +623,7 @@ void receive_fd(int sockfd, int new_fd)
 		bail("received control message from unix socket %d with too many fds: %d", sockfd, fd_count);
 
 	fd_payload = (int *) CMSG_DATA (cmsg);
-	ret = dup2(*fd_payload, new_fd);
+	ret = dup3(*fd_payload, new_fd, O_CLOEXEC);
 	if (ret < 0)
 		bail("cannot dup2 fd %d to %d", *fd_payload, new_fd);
 
@@ -721,14 +721,14 @@ void send_mountsources(int sockfd, pid_t child, char *mountsources, size_t mount
 	if (mountsources == NULL)
 		return;
 
-	host_mntns_fd = open("/proc/self/ns/mnt", O_RDONLY);
+	host_mntns_fd = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC);
 	if (host_mntns_fd == -1)
 		bail("failed to get current mount namespace");
 
 	if (snprintf(proc_path, PATH_MAX, "/proc/%d/ns/mnt", child) < 0)
 		bail("failed to get mount namespace path");
 
-	container_mntns_fd = open(proc_path, O_RDONLY);
+	container_mntns_fd = open(proc_path, O_RDONLY|O_CLOEXEC);
 	if (container_mntns_fd == -1)
 		bail("failed to get container mount namespace");
 

libcontainer/standard_init_linux.go

@@ -89,6 +89,13 @@ func (l *linuxStandardInit) Init() error {
 	if err := prepareRootfs(l.pipe, l.config, l.mountFiles); err != nil {
 		return err
 	}
+	// We don't need mountFiles anymore: close them all
+	for _, m := range l.mountFiles {
+		if m == nil {
+			continue
+		}
+		m.Close()
+	}
 	// Set up the console. This has to be done *before* we finalize the rootfs,
 	// but *after* we've given the user the chance to set up all of the mounts
 	// they wanted.