[lxc-devel] [lxd/master] forkexec: mark fd cloexec so the attaching process doesn't inherit it

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200409/f9f20818/attachment.bin>
-------------- next part --------------
From 73b555a00be089dced1bd49b7892e3805ea9b0dc Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 10 Apr 2020 00:16:11 +0200
Subject: [PATCH] forkexec: mark fd cloexec so the attaching process doesn't
 inherit it

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forkexec.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/lxd/main_forkexec.go b/lxd/main_forkexec.go
index 7133ef9108..ea2451e8df 100644
--- a/lxd/main_forkexec.go
+++ b/lxd/main_forkexec.go
@@ -100,6 +100,28 @@ static int push_vargs(char ***list, char *entry)
 	return 0;
 }
 
+static int fd_cloexec(int fd, bool cloexec)
+{
+	int oflags, nflags;
+
+	oflags = fcntl(fd, F_GETFD, 0);
+	if (oflags < 0)
+		return -errno;
+
+	if (cloexec)
+		nflags = oflags | FD_CLOEXEC;
+	else
+		nflags = oflags & ~FD_CLOEXEC;
+
+	if (nflags == oflags)
+		return 0;
+
+	if (fcntl(fd, F_SETFD, nflags) < 0)
+		return -errno;
+
+	return 0;
+}
+
 // We use a separate function because cleanup macros are called during stack
 // unwinding if I'm not mistaken and if the compiler knows it exits it won't
 // call them. That's not a problem since we're exiting but I just like to be on
@@ -169,6 +191,10 @@ __attribute__ ((noinline)) static int __forkexec(void)
 	if (!argvp || !*argvp)
 		return log_error(EXIT_FAILURE, "No command specified");
 
+	ret = fd_cloexec(status_pipe, true);
+	if (ret)
+		return EXIT_FAILURE;
+
 	c = lxc_container_new(name, lxcpath);
 	if (!c)
 		return EXIT_FAILURE;