Merge pull request #5464 from tianon/close-leftover-fds
This commit is contained in:
Michael Crosby
commit
8e22ca2eed
3 changed files with 56 additions and 2 deletions
|
|
@ -117,12 +117,16 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// finalizeNamespace drops the caps and sets the correct user
|
// finalizeNamespace drops the caps, sets the correct user
|
||||||
// and working dir before execing the command inside the namespace
|
// and working dir, and closes any leaky file descriptors
|
||||||
|
// before execing the command inside the namespace
|
||||||
func finalizeNamespace(container *libcontainer.Container) error {
|
func finalizeNamespace(container *libcontainer.Container) error {
|
||||||
if err := capabilities.DropCapabilities(container); err != nil {
|
if err := capabilities.DropCapabilities(container); err != nil {
|
||||||
return fmt.Errorf("drop capabilities %s", err)
|
return fmt.Errorf("drop capabilities %s", err)
|
||||||
}
|
}
|
||||||
|
if err := system.CloseFdsFrom(3); err != nil {
|
||||||
|
return fmt.Errorf("close open file descriptors %s", err)
|
||||||
|
}
|
||||||
if err := setupUser(container); err != nil {
|
if err := setupUser(container); err != nil {
|
||||||
return fmt.Errorf("setup user %s", err)
|
return fmt.Errorf("setup user %s", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
38
system/fds_linux.go
Normal file
38
system/fds_linux.go
Normal file
|
|
@ -0,0 +1,38 @@
|
||||||
|
package system
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io/ioutil"
|
||||||
|
"strconv"
|
||||||
|
"syscall"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Works similarly to OpenBSD's "closefrom(2)":
|
||||||
|
// The closefrom() call deletes all descriptors numbered fd and higher from
|
||||||
|
// the per-process file descriptor table. It is effectively the same as
|
||||||
|
// calling close(2) on each descriptor.
|
||||||
|
// http://www.openbsd.org/cgi-bin/man.cgi?query=closefrom&sektion=2
|
||||||
|
//
|
||||||
|
// See also http://stackoverflow.com/a/918469/433558
|
||||||
|
func CloseFdsFrom(minFd int) error {
|
||||||
|
fdList, err := ioutil.ReadDir("/proc/self/fd")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, fi := range fdList {
|
||||||
|
fd, err := strconv.Atoi(fi.Name())
|
||||||
|
if err != nil {
|
||||||
|
// ignore non-numeric file names
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if fd < minFd {
|
||||||
|
// ignore descriptors lower than our specified minimum
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// intentionally ignore errors from syscall.Close
|
||||||
|
syscall.Close(fd)
|
||||||
|
// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
12
system/fds_unsupported.go
Normal file
12
system/fds_unsupported.go
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
// +build !linux
|
||||||
|
|
||||||
|
package system
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"runtime"
|
||||||
|
)
|
||||||
|
|
||||||
|
func CloseFdsFrom(minFd int) error {
|
||||||
|
return fmt.Errorf("CloseFdsFrom is unsupported on this platform (%s/%s)", runtime.GOOS, runtime.GOARCH)
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue