On Mon, Aug 11, 2008 at 12:50:46PM +0200, Jim Meyering wrote: > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote: > > This patch does some simple re-factoring of the way the TTYs and > > control socket are handled to reduce the amount of state stored > > in the lxc_vm_t structure, in preparation for the switchover to > > the generic domain handling APIs. > > One more thing: > > ... > > diff -r 63b8398c302e src/lxc_container.c > > --- a/src/lxc_container.c Mon Jul 14 12:18:23 2008 +0100 > > +++ b/src/lxc_container.c Tue Jul 15 11:55:48 2008 +0100 > ... > > - close(0); close(1); close(2); > > + /* Just in case someone forget to set FD_CLOEXEC, explicitly > > + * close all FDs before executing the container */ > > + open_max = sysconf (_SC_OPEN_MAX); > > + for (i = 0; i < open_max; i++) > > + if (i != ttyfd) > > + close(i); > > Do you really need to close all file descriptors > 2 ? > I seem to recall that an application doing this caused trouble > when it closed a file descriptor (opened via the shell that I > was using for log output. This is important to ensuring no file descriptors are leaked into the container we run because that would be a potential security problem. In any case this code will be replaced by a call to virExec() by a later patch in this series. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list