Re: [libvirt] PATCH: 1/7: Removing state from lxc_vm_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 11, 2008 at 12:50:46PM +0200, Jim Meyering wrote:
> "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:
> > This patch does some simple re-factoring of the way the TTYs and
> > control socket are handled to reduce the amount of state stored
> > in the lxc_vm_t structure, in preparation for the switchover to
> > the generic domain handling APIs.
> 
> One more thing:
> 
> ...
> > diff -r 63b8398c302e src/lxc_container.c
> > --- a/src/lxc_container.c	Mon Jul 14 12:18:23 2008 +0100
> > +++ b/src/lxc_container.c	Tue Jul 15 11:55:48 2008 +0100
> ...
> > -    close(0); close(1); close(2);
> > +    /* Just in case someone forget to set FD_CLOEXEC, explicitly
> > +     * close all FDs before executing the container */
> > +    open_max = sysconf (_SC_OPEN_MAX);
> > +    for (i = 0; i < open_max; i++)
> > +        if (i != ttyfd)
> > +            close(i);
> 
> Do you really need to close all file descriptors > 2 ?
> I seem to recall that an application doing this caused trouble
> when it closed a file descriptor (opened via the shell that I
> was using for log output.

This is important to ensuring no file descriptors are leaked into the
container we run because that would be a potential security problem.
In any case this code will be replaced by a call to virExec() by a 
later patch in this series.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]