container: set CLOEXEC via close_range

This is guarded behind the close_range build tag for now. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-03-17 14:19:00 +09:00
parent d1fc1a3db7
commit 0a12d456ce
3 changed files with 52 additions and 20 deletions
--- a/container/syscall_range_proc.go
+++ b/container/syscall_range_proc.go
@@ -0,0 +1,28 @@
+//go:build !close_range
+
+package container
+
+import (
+	"os"
+	"strconv"
+	"syscall"
+
+	"hakurei.app/container/fhs"
+)
+
+// doCloseOnExec implements ensureCloseOnExec by ranging over proc_pid_fd(5).
+func doCloseOnExec() error {
+	entries, err := os.ReadDir(fhs.ProcSelf + "fd/")
+	if err != nil {
+		return err
+	}
+
+	var fd int
+	for _, ent := range entries {
+		if fd, err = strconv.Atoi(ent.Name()); err != nil {
+			return err // not reached
+		}
+		syscall.CloseOnExec(fd)
+	}
+	return nil
+}