Backport !2435 “gspawn: Report errors with closing file descriptors between fork/exec” to glib-2-70
If a seccomp policy is set up incorrectly so that it returns EPERM
for
close_range()
rather than ENOSYS
due to it not being recognised, no
error would previously be reported from GLib, but some file descriptors
wouldn’t be closed, and that would cause a hung zombie process. The
zombie process would be waiting for one half of a socket to be closed.
Fix that by correctly propagating errors from close_range()
back to the
parent process so they can be reported correctly.
Distributions which aren’t yet carrying the Docker fix to correctly
return ENOSYS
from unrecognised syscalls may want to temporarily carry
an additional patch to fall back to safe_fdwalk()
if close_range()
fails with EPERM
. This change will not be accepted upstream as EPERM
is not the right error for close_range()
to be returning.
Signed-off-by: Philip Withnall pwithnall@endlessos.org
Fixes: #2580 (closed)
Trivial backport of !2435 (merged) to glib-2-70
.