add option to close inherited fds

src/lxc/arguments.h

@@ -58,6 +58,9 @@ struct lxc_arguments {
 	/* for lxc-wait */
 	char *states;
 
+	/* close fds from parent? */
+	int close_all_fds;
+
 	/* remaining arguments */
 	char *const *argv;
 	int argc;

src/lxc/conf.h

@@ -215,6 +215,7 @@ struct lxc_conf {
 	struct lxc_console console;
 	struct lxc_rootfs rootfs;
 	char *ttydir;
+	int close_all_fds;
 };
 
 /*

src/lxc/execute.c

@@ -83,7 +83,7 @@ int lxc_execute(const char *name, char *const argv[], int quiet,
 		.quiet = quiet
 	};
 
-	if (lxc_check_inherited(-1))
+	if (lxc_check_inherited(conf, -1))
 		return -1;
 
 	return __lxc_start(name, conf, &execute_start_ops, &args);

src/lxc/lxc_start.c

@@ -58,8 +58,9 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
 {
 	switch (c) {
 	case 'c': args->console = arg; break;
-	case 'd': args->daemonize = 1; break;
+	case 'd': args->daemonize = 1; args->close_all_fds = 1; break;
 	case 'f': args->rcfile = arg; break;
+	case 'C': args->close_all_fds = 1; break;
 	case 's': return lxc_config_define_add(&defines, arg);
 	}
 	return 0;
@@ -70,6 +71,7 @@ static const struct option my_longopts[] = {
 	{"rcfile", required_argument, 0, 'f'},
 	{"define", required_argument, 0, 's'},
 	{"console", required_argument, 0, 'c'},
+	{"close-all-fds", no_argument, 0, 'C'},
 	LXC_COMMON_OPTIONS
 };
 
@@ -85,6 +87,9 @@ Options :\n\
   -d, --daemon         daemonize the container\n\
   -f, --rcfile=FILE    Load configuration file FILE\n\
   -c, --console=FILE   Set the file output for the container console\n\
+  -C, --close-all-fds  If any fds are inherited, close them\n\
+                       If not specified, exit with failure instead\n\
+		       Note: --daemon implies --close-all-fds\n\
   -s, --define KEY=VAL Assign VAL to configuration variable KEY\n",
 	.options   = my_longopts,
 	.parser    = my_parser,
@@ -199,6 +204,9 @@ int main(int argc, char *argv[])
 		return err;
 	}
 
+	if (my_args.close_all_fds)
+		conf->close_all_fds = 1;
+
 	err = lxc_start(my_args.name, args, conf);
 
 	/*

src/lxc/restart.c

@@ -71,7 +71,7 @@ int lxc_restart(const char *name, int sfd, struct lxc_conf *conf, int flags)
 		.flags = flags
 	};
 
-	if (lxc_check_inherited(sfd))
+	if (lxc_check_inherited(conf, sfd))
 		return -1;
 
 	return __lxc_start(name, conf, &restart_ops, &restart_arg);

src/lxc/start.c

@@ -134,12 +134,13 @@ static int match_fd(int fd)
 	return (fd == 0 || fd == 1 || fd == 2);
 }
 
-int lxc_check_inherited(int fd_to_ignore)
+int lxc_check_inherited(struct lxc_conf *conf, int fd_to_ignore)
 {
 	struct dirent dirent, *direntp;
 	int fd, fddir;
 	DIR *dir;
 
+restart:
 	dir = opendir("/proc/self/fd");
 	if (!dir) {
 		WARN("failed to open directory: %m");
@@ -166,6 +167,12 @@ int lxc_check_inherited(int fd_to_ignore)
 		if (match_fd(fd))
 			continue;
 
+		if (conf->close_all_fds) {
+			close(fd);
+			closedir(dir);
+			INFO("closed inherited fd %d", fd);
+			goto restart;
+		}
 		WARN("inherited fd %d", fd);
 	}
 
@@ -709,7 +716,7 @@ int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf)
 		.argv = argv,
 	};
 
-	if (lxc_check_inherited(-1))
+	if (lxc_check_inherited(conf, -1))
 		return -1;
 
 	conf->need_utmp_watch = 1;

src/lxc/start.h

@@ -54,7 +54,7 @@ extern int lxc_poll(const char *name, struct lxc_handler *handler);
 extern void lxc_abort(const char *name, struct lxc_handler *handler);
 extern void lxc_fini(const char *name, struct lxc_handler *handler);
 extern int lxc_set_state(const char *, struct lxc_handler *, lxc_state_t);
-extern int lxc_check_inherited(int fd_to_ignore);
+extern int lxc_check_inherited(struct lxc_conf *conf, int fd_to_ignore);
 int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
 		void *);