Snap for 5798008 from cf3bbea196ff781d94fb69d395ee7df00d1d3cb6 to sdk-release Change-Id: I5e66772536f7f6f5652523b3cbe60927b710b05c

commit: 573c21395cbfd72e8c5abcacd3f7014c87efb71a [log] [tgz]
author: android-build-prod (mdb) <android-build-team-robot@google.com> Tue Aug 13 01:59:55 2019 +0000
committer: android-build-prod (mdb) <android-build-team-robot@google.com> Tue Aug 13 01:59:55 2019 +0000
tree: a3773672f2aeebf3016e1b7bd8a04e4c684a44c8
parent: dc0cbb1b9828e7e4cda7ade225413eadf95568b7 [diff]
parent: cf3bbea196ff781d94fb69d395ee7df00d1d3cb6 [diff]
diff --git a/libminijail.c b/libminijail.c
index 43de3c4..4db32fa 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -2940,6 +2940,17 @@
 			inheritable_fds[size++] = stderr_fds[0];
 			inheritable_fds[size++] = stderr_fds[1];
 		}
+
+		/*
+		 * Preserve namespace file descriptors over the close_open_fds()
+		 * call. These are closed in minijail_enter() so they won't leak
+		 * into the child process.
+		 */
+		if (j->flags.enter_vfs)
+			minijail_preserve_fd(j, j->mountns_fd, j->mountns_fd);
+		if (j->flags.enter_net)
+			minijail_preserve_fd(j, j->netns_fd, j->netns_fd);
+
 		for (i = 0; i < j->preserved_fd_count; i++) {
 			/*
 			 * Preserve all parent_fds. They will be dup2(2)-ed in
commit	573c21395cbfd72e8c5abcacd3f7014c87efb71a	[log] [tgz]
author	android-build-prod (mdb) <android-build-team-robot@google.com>	Tue Aug 13 01:59:55 2019 +0000
committer	android-build-prod (mdb) <android-build-team-robot@google.com>	Tue Aug 13 01:59:55 2019 +0000
tree	a3773672f2aeebf3016e1b7bd8a04e4c684a44c8
parent	dc0cbb1b9828e7e4cda7ade225413eadf95568b7 [diff]
parent	cf3bbea196ff781d94fb69d395ee7df00d1d3cb6 [diff]