From 6900793a171bdda7e1d63d47240c2b2158a017ef Mon Sep 17 00:00:00 2001 From: Alban Crequy Date: Mon, 14 Sep 2020 12:14:22 +0200 Subject: [PATCH] Use O_CLOEXEC on mount files, and close them early Signed-off-by: Alban Crequy --- libcontainer/init_linux.go | 8 ++++++++ libcontainer/nsenter/nsexec.c | 6 +++--- libcontainer/standard_init_linux.go | 7 +++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index 173fe88dea0..277d877161a 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -85,6 +85,14 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd } switch t { case initSetns: + // mountFiles is not needed in the setns case: close them all + for _, m := range mountFiles { + if m == nil { + continue + } + m.Close() + } + return &linuxSetnsInit{ pipe: pipe, consoleSocket: consoleSocket, diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c index ad23cd46d15..22d3d66a4b7 100644 --- a/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c @@ -623,7 +623,7 @@ void receive_fd(int sockfd, int new_fd) bail("received control message from unix socket %d with too many fds: %d", sockfd, fd_count); fd_payload = (int *) CMSG_DATA (cmsg); - ret = dup2(*fd_payload, new_fd); + ret = dup3(*fd_payload, new_fd, O_CLOEXEC); if (ret < 0) bail("cannot dup2 fd %d to %d", *fd_payload, new_fd); @@ -721,14 +721,14 @@ void send_mountsources(int sockfd, pid_t child, char *mountsources, size_t mount if (mountsources == NULL) return; - host_mntns_fd = open("/proc/self/ns/mnt", O_RDONLY); + host_mntns_fd = open("/proc/self/ns/mnt", O_RDONLY|O_CLOEXEC); if (host_mntns_fd == -1) bail("failed to get current mount namespace"); if (snprintf(proc_path, PATH_MAX, "/proc/%d/ns/mnt", child) < 0) bail("failed to get mount namespace path"); - container_mntns_fd = open(proc_path, O_RDONLY); + container_mntns_fd = open(proc_path, O_RDONLY|O_CLOEXEC); if (container_mntns_fd == -1) bail("failed to get container mount namespace"); diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index a1f2f908905..fe47eb6e178 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -89,6 +89,13 @@ func (l *linuxStandardInit) Init() error { if err := prepareRootfs(l.pipe, l.config, l.mountFiles); err != nil { return err } + // We don't need mountFiles anymore: close them all + for _, m := range l.mountFiles { + if m == nil { + continue + } + m.Close() + } // Set up the console. This has to be done *before* we finalize the rootfs, // but *after* we've given the user the chance to set up all of the mounts // they wanted.