Fix leaky FD

9P socket was being created without CLOEXEC and was being inherited by the children. This would prevent the gofer from detecting that the sandbox had exited, because the socket would not be closed. PiperOrigin-RevId: 199168959 Change-Id: I3ee1a07cbe7331b0aeb1cf2b697e728ce24f85a7
author: Fabricio Voznika <fvoznika@google.com> 2018-06-04 11:51:27 -0700
committer: Shentubot <shentubot@google.com> 2018-06-04 11:52:17 -0700
commit: 55a37ceef1e33cc72236db6e95f159963ddf40bd (patch)
tree: 2dadd3fa65b3cba4e756a6c63e2e61af5dc2320f /runsc/sandbox/sandbox.go
parent: a0e2126be49e5eda45dcaead497129c08e08a1e5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index a9486cfdc..91c44c996 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -195,7 +195,7 @@ func (s *Sandbox) createGoferProcess(spec *specs.Spec, conf *boot.Config, bundle
 	goferEnds := make([]*os.File, 0, mountCount)
 	for i := 0; i < mountCount; i++ {
 		// Create socket that connects the sandbox and gofer.
-		fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+		fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0)
 		if err != nil {
 			return nil, err
 		}
author	Fabricio Voznika <fvoznika@google.com>	2018-06-04 11:51:27 -0700
committer	Shentubot <shentubot@google.com>	2018-06-04 11:52:17 -0700
commit	55a37ceef1e33cc72236db6e95f159963ddf40bd (patch)
tree	2dadd3fa65b3cba4e756a6c63e2e61af5dc2320f /runsc/sandbox/sandbox.go
parent	a0e2126be49e5eda45dcaead497129c08e08a1e5 (diff)