build-fhs-userenv: don't leak file descriptors

This re-uses the capabilities documented in `Process.spawn` to avoid leaking
unecessary file-descriptors to the sandbox
This commit is contained in:
zimbatm 2015-12-10 16:01:04 +00:00
parent c3be340ae0
commit 9b33ec1764

View File

@ -140,10 +140,10 @@ if $cpid == 0
link_swdir.call swdir, Pathname.new('')
# New environment
ENV.replace(Hash[ envvars.map { |x| [x, ENV[x]] } ])
new_env = Hash[ envvars.map { |x| [x, ENV[x]] } ]
# Finally, exec!
exec *execp
exec(new_env, *execp, close_others: true, unsetenv_others: true)
end
# Wait for a child. If we catch a signal, resend it to child and continue