From 97574b1015f8f8aa49c3a45a03e96c877cfda676 Mon Sep 17 00:00:00 2001
From: Aidan Hobson Sayers <aidanhs@cantab.net>
Date: Sat, 24 Aug 2024 21:48:15 +0100
Subject: [PATCH] Fix a stray FD leaking in containers when using preserve-fd

Signed-off-by: Aidan Hobson Sayers <aidanhs@cantab.net>
---
 crates/libcontainer/src/syscall/linux.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/crates/libcontainer/src/syscall/linux.rs b/crates/libcontainer/src/syscall/linux.rs
index 9bc2f13de8..bfa310349e 100644
--- a/crates/libcontainer/src/syscall/linux.rs
+++ b/crates/libcontainer/src/syscall/linux.rs
@@ -17,7 +17,7 @@ use nix::fcntl::{open, OFlag};
 use nix::mount::{mount, umount2, MntFlags, MsFlags};
 use nix::sched::{unshare, CloneFlags};
 use nix::sys::stat::{mknod, Mode, SFlag};
-use nix::unistd::{chown, chroot, fchdir, pivot_root, sethostname, Gid, Uid};
+use nix::unistd::{chown, chroot, close, fchdir, pivot_root, sethostname, Gid, Uid};
 use oci_spec::runtime::PosixRlimit;
 
 use super::{Result, Syscall, SyscallError};
@@ -233,7 +233,7 @@ impl Syscall for LinuxSyscall {
     fn pivot_rootfs(&self, path: &Path) -> Result<()> {
         // open the path as directory and read only
         let newroot =
-            open(path, OFlag::O_DIRECTORY | OFlag::O_RDONLY, Mode::empty()).map_err(|errno| {
+            open(path, OFlag::O_DIRECTORY | OFlag::O_RDONLY | OFlag::O_CLOEXEC, Mode::empty()).map_err(|errno| {
                 tracing::error!(?errno, ?path, "failed to open the new root for pivot root");
                 errno
             })?;
@@ -279,6 +279,11 @@ impl Syscall for LinuxSyscall {
             errno
         })?;
 
+        close(newroot).map_err(|errno| {
+            tracing::error!(?errno, ?newroot, "failed to close new root directory");
+            errno
+        })?;
+
         Ok(())
     }