attach: explicitly close seccomp notifier fd

src/lxc/attach.c

@@ -1208,6 +1208,7 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
 		if (ret < 0)
 			goto on_error;
+		lxc_seccomp_close_notifier_fd(&conf->seccomp);
 	}
 
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))

src/lxc/lxcseccomp.h

@@ -91,6 +91,14 @@ __hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, in
 __hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
 __hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 					     struct lxc_seccomp *seccomp);
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	if (seccomp->notifier.wants_supervision)
+		close_prot_errno_disarm(seccomp->notifier.notify_fd);
+#endif
+}
+
 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 {
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
@@ -162,5 +170,9 @@ static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 	return -EBADF;
 }
 
+static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
+{
+}
+
 #endif /* HAVE_SECCOMP */
 #endif /* __LXC_LXCSECCOMP_H */

src/lxc/seccomp.c

@@ -1638,7 +1638,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
 int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 			     struct lxc_seccomp *seccomp)
 {
-
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 	if (seccomp->notifier.wants_supervision) {
 		int ret;