Fix a stray FD leaking in containers when using preserve-fd

Signed-off-by: Aidan Hobson Sayers <[email protected]>
youki-dev · Aug 24, 2024 · 97574b1 · 97574b1
1 parent 97df099
commit 97574b1
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/crates/libcontainer/src/syscall/linux.rs b/crates/libcontainer/src/syscall/linux.rs
@@ -17,7 +17,7 @@ use nix::fcntl::{open, OFlag};
 use nix::mount::{mount, umount2, MntFlags, MsFlags};
 use nix::sched::{unshare, CloneFlags};
 use nix::sys::stat::{mknod, Mode, SFlag};
-use nix::unistd::{chown, chroot, fchdir, pivot_root, sethostname, Gid, Uid};
+use nix::unistd::{chown, chroot, close, fchdir, pivot_root, sethostname, Gid, Uid};
 use oci_spec::runtime::PosixRlimit;
 
 use super::{Result, Syscall, SyscallError};
@@ -233,7 +233,7 @@ impl Syscall for LinuxSyscall {
     fn pivot_rootfs(&self, path: &Path) -> Result<()> {
         // open the path as directory and read only
         let newroot =
-            open(path, OFlag::O_DIRECTORY | OFlag::O_RDONLY, Mode::empty()).map_err(|errno| {
+            open(path, OFlag::O_DIRECTORY | OFlag::O_RDONLY | OFlag::O_CLOEXEC, Mode::empty()).map_err(|errno| {
                 tracing::error!(?errno, ?path, "failed to open the new root for pivot root");
                 errno
             })?;
@@ -279,6 +279,11 @@ impl Syscall for LinuxSyscall {
             errno
         })?;
 
+        close(newroot).map_err(|errno| {
+            tracing::error!(?errno, ?newroot, "failed to close new root directory");
+            errno
+        })?;
+
         Ok(())
     }