Skip to content

[1.3] fix fd leaks and detect them as comprehensively as possible #5028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: release-1.3
Choose a base branch
from
Open

[1.3] fix fd leaks and detect them as comprehensively as possible #5028

wants to merge 6 commits into from

Conversation

@lifubang
Copy link
Member

@lifubang lifubang commented Nov 19, 2025
edited
Loading

backport #5026

Fix: #5021
Fix: #5007
Close: #5022
Close: #5024

Without deferring the closure of this file descriptor, starting a container with a very large number of devices can hit the RLIMIT_NOFILE limit.

The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
to address an fd leak. However, due to compatibility constraints, we
instead downgrade to v0.5, using v0.5.2 which includes a backported fix
for the same issue. So we also need to bump selnux from v1.13.0 t0
v1.13.1.

cyphar
cyphar requested changes Nov 20, 2025
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should update to go-selinux v1.13.1 here -- v1.12.0 is insecure. Also filepath-securejoin v0.5.2 has been released.

@cyphar cyphar added this to the 1.3.4 milestone Nov 20, 2025
@lifubang lifubang force-pushed the ci-detect-fdleak-try-best-1.3 branch from acf798b to b1ec8d6 Compare November 20, 2025 07:14
@lifubang lifubang added the backport/1.3-pr A backport PR to release-1.3 label Nov 20, 2025
@cyphar cyphar changed the title [1.3] detect file descriptor leaks as comprehensively as possible [1.3] fix fd leaks and detect them as comprehensively as possible Nov 20, 2025
lifubang and others added 6 commits November 20, 2025 11:52
@lifubang @cyphar
ci: detect file descriptor leaks as comprehensively as possible
167fa3f 
Co-authored-by: Aleksa Sarai <[email protected]>
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit ba7f46d)
Signed-off-by: lifubang <[email protected]>
@lifubang
libct: always close m.dstFile in mountToRootfs
98dc593 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit e027288)
Signed-off-by: lifubang <[email protected]>
@lifubang
libct: add a defer fd close in createDeviceNode
52192a8 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit 9a5e626)
Signed-off-by: lifubang <[email protected]>
@lifubang
bump github.com/opencontainers/s
ae8839a 
elinux from v1.13.0 to v1.13.1

Signed-off-by: lifubang <[email protected]>
@lifubang
downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
34e8458 
The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
to address an fd leak. However, due to compatibility constraints, we
instead downgrade to v0.5, using v0.5.2 which includes a backported fix
for the same issue.

Signed-off-by: lifubang <[email protected]>
@lifubang
integration: verify syscall compatibility after seccomp enforcement
ebea1f8 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit d870650)
Signed-off-by: lifubang <[email protected]>
@lifubang lifubang force-pushed the ci-detect-fdleak-try-best-1.3 branch from b1ec8d6 to ebea1f8 Compare November 20, 2025 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport/1.3-pr A backport PR to release-1.3

Projects

None yet

Milestone

1.3.4

Development

Successfully merging this pull request may close these issues.

2 participants

@lifubang @cyphar