container: set CLOEXEC via close_range

This is guarded behind the close_range build tag for now.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/container.go

@@ -186,31 +186,24 @@ var (
 	closeOnExecErr  error
 )
 
-// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
-// This is only ran once as it is intended to handle files left open by the parent, and any file opened
-// on this side should already have syscall.FD_CLOEXEC set.
+// ensureCloseOnExec ensures all currently open file descriptors have the
+// syscall.FD_CLOEXEC flag set.
+//
+// This is only ran once as it is intended to handle files left open by the
+// parent, and any file opened on this side should already have
+// syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
-	closeOnExecOnce.Do(func() {
-		const fdPrefixPath = "/proc/self/fd/"
-
-		var entries []os.DirEntry
-		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
-			return
-		}
-
-		var fd int
-		for _, ent := range entries {
-			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
-				break // not reached
-			}
-			CloseOnExec(fd)
-		}
-	})
+	closeOnExecOnce.Do(func() { closeOnExecErr = doCloseOnExec() })
 
 	if closeOnExecErr == nil {
 		return nil
 	}
-	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+	return &StartError{
+		Fatal:       true,
+		Step:        "set FD_CLOEXEC on all open files",
+		Err:         closeOnExecErr,
+		Passthrough: true,
+	}
 }
 
 // Start starts the container init. The init process blocks until Serve is called.