Merge pull request #1348 from brauner/2016-12-08/fix_attach_fd_leak_stable-1.0

attach: close lsm label file descriptor

Merge pull request #1348 from brauner/2016-12-08/fix_attach_fd_leak_stable-1.0
bc84967f · Stéphane Graber · GitHub · 7586efbe · 2174895d · bc84967f
Commit bc84967f authored Dec 09, 2016 by Stéphane Graber Committed by GitHub Dec 09, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

attach.c src/lxc/attach.c +5 -1

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -941,7 +941,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 		/* Open LSM fd and send it to child. */
 		if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) {
-			int on_exec, labelfd;
+			int on_exec;
+			int labelfd = -1;
 			on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
 			/* Open fd for the LSM security module. */
 			labelfd = lsm_openat(procfd, attached_pid, on_exec);
@@ -950,6 +951,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 			/* Send child fd of the LSM security module to write to. */
 			ret = lxc_abstract_unix_send_fd(ipc_sockets[0], labelfd, NULL, 0);
+			close(labelfd);
 			if (ret <= 0) {
 				ERROR("Error using IPC to send child LSM fd (4): %s.",
 						strerror(errno));
@@ -957,6 +959,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 			}
 		}
+		if (procfd >= 0)
+			close(procfd);
 		/* now shut down communication with child, we're done */
 		shutdown(ipc_sockets[0], SHUT_RDWR);
 		close(ipc_sockets[0]);