[lxc-devel] [lxc/stable-2.0] attach: close lsm label file descriptor

brauner on Github lxc-bot at linuxcontainers.org
Thu Dec 8 22:21:22 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161208/b16e2f54/attachment.bin>
-------------- next part --------------
From a2d6fe80fbe08149338c48d078da726c1015bebc Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 8 Dec 2016 23:18:35 +0100
Subject: [PATCH] attach: close lsm label file descriptor

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/attach.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 2534152..f44be85 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -932,7 +932,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 
 		/* Open LSM fd and send it to child. */
 		if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) {
-			int on_exec, labelfd;
+			int on_exec;
+			int labelfd = -1;
 			on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
 			/* Open fd for the LSM security module. */
 			labelfd = lsm_openat(procfd, attached_pid, on_exec);
@@ -941,12 +942,15 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 
 			/* Send child fd of the LSM security module to write to. */
 			ret = lxc_abstract_unix_send_fd(ipc_sockets[0], labelfd, NULL, 0);
+			close(labelfd);
 			if (ret <= 0) {
 				ERROR("Intended to send file descriptor %d: %s.", labelfd, strerror(errno));
 				goto on_error;
 			}
 		}
 
+		if (procfd >= 0)
+			close(procfd);
 		/* Now shut down communication with child, we're done. */
 		shutdown(ipc_sockets[0], SHUT_RDWR);
 		close(ipc_sockets[0]);


More information about the lxc-devel mailing list