[lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container

Stéphane Graber stgraber at ubuntu.com
Mon Jan 21 21:20:55 UTC 2013 

On 01/17/2013 10:53 AM, Serge Hallyn wrote:
> Only the container parent needs to keep that fd open.  Close it
> as soon as the container's first task is spawned.  Else it can
> show up in /proc/$$/fd in the container.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/start.c | 12 +++++++-----
>  src/lxc/start.h |  1 +
>  2 files changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 90696f6..5083b24 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -575,6 +575,9 @@ static int do_start(void *data)
>  
>  	lxc_sync_fini_parent(handler);
>  
> +	/* don't leak the pinfd to the container */
> +	close(handler->pinfd);
> +
>  	/* Tell the parent task it can begin to configure the
>  	 * container and wait for it to finish
>  	 */
> @@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler)
>  {
>  	int failed_before_rename = 0;
>  	const char *name = handler->name;
> -	int pinfd;
>  
>  	if (lxc_sync_init(handler))
>  		return -1;
> @@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler)
>  	 * marking it readonly.
>  	 */
>  
> -	pinfd = pin_rootfs(handler->conf->rootfs.path);
> -	if (pinfd == -1) {
> +	handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
> +	if (handler->pinfd == -1) {
>  		ERROR("failed to pin the container's rootfs");
>  		goto out_abort;
>  	}
> @@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler)
>  
>  	lxc_sync_fini(handler);
>  
> -	if (pinfd >= 0)
> -		close(pinfd);
> +	if (handler->pinfd >= 0)
> +		close(handler->pinfd);
>  
>  	return 0;
>  
> diff --git a/src/lxc/start.h b/src/lxc/start.h
> index 4b2e2b5..27688f3 100644
> --- a/src/lxc/start.h
> +++ b/src/lxc/start.h
> @@ -49,6 +49,7 @@ struct lxc_handler {
>  #if HAVE_APPARMOR
>  	int aa_enabled;
>  #endif
> +	int pinfd;
>  };
>  
>  extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
> 


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130121/170b8161/attachment.pgp>

More information about the lxc-devel mailing list