Backport !2435 “gspawn: Report errors with closing file descriptors between fork/exec” to glib-2-70 (!2444) · Merge requests · GNOME / GLib

Philip Withnall requested to merge pwithnall/glib:backport-2435-spawn-close-range-glib-2-70 into glib-2-70 Jan 19, 2022

If a seccomp policy is set up incorrectly so that it returns EPERM for close_range() rather than ENOSYS due to it not being recognised, no error would previously be reported from GLib, but some file descriptors wouldn’t be closed, and that would cause a hung zombie process. The zombie process would be waiting for one half of a socket to be closed.

Fix that by correctly propagating errors from close_range() back to the parent process so they can be reported correctly.

Distributions which aren’t yet carrying the Docker fix to correctly return ENOSYS from unrecognised syscalls may want to temporarily carry an additional patch to fall back to safe_fdwalk() if close_range() fails with EPERM. This change will not be accepted upstream as EPERM is not the right error for close_range() to be returning.

Signed-off-by: Philip Withnall pwithnall@endlessos.org

Fixes: #2580 (closed)

Trivial backport of !2435 (merged) to glib-2-70.

Backport !2435 “gspawn: Report errors with closing file descriptors between fork/exec” to glib-2-70

Merge request reports