[lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container
Stéphane Graber
stgraber at ubuntu.com
Mon Jan 21 21:20:55 UTC 2013
On 01/17/2013 10:53 AM, Serge Hallyn wrote:
> Only the container parent needs to keep that fd open. Close it
> as soon as the container's first task is spawned. Else it can
> show up in /proc/$$/fd in the container.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/start.c | 12 +++++++-----
> src/lxc/start.h | 1 +
> 2 files changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 90696f6..5083b24 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -575,6 +575,9 @@ static int do_start(void *data)
>
> lxc_sync_fini_parent(handler);
>
> + /* don't leak the pinfd to the container */
> + close(handler->pinfd);
> +
> /* Tell the parent task it can begin to configure the
> * container and wait for it to finish
> */
> @@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler)
> {
> int failed_before_rename = 0;
> const char *name = handler->name;
> - int pinfd;
>
> if (lxc_sync_init(handler))
> return -1;
> @@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler)
> * marking it readonly.
> */
>
> - pinfd = pin_rootfs(handler->conf->rootfs.path);
> - if (pinfd == -1) {
> + handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
> + if (handler->pinfd == -1) {
> ERROR("failed to pin the container's rootfs");
> goto out_abort;
> }
> @@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler)
>
> lxc_sync_fini(handler);
>
> - if (pinfd >= 0)
> - close(pinfd);
> + if (handler->pinfd >= 0)
> + close(handler->pinfd);
>
> return 0;
>
> diff --git a/src/lxc/start.h b/src/lxc/start.h
> index 4b2e2b5..27688f3 100644
> --- a/src/lxc/start.h
> +++ b/src/lxc/start.h
> @@ -49,6 +49,7 @@ struct lxc_handler {
> #if HAVE_APPARMOR
> int aa_enabled;
> #endif
> + int pinfd;
> };
>
> extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130121/170b8161/attachment.pgp>
More information about the lxc-devel
mailing list