File 28434.patch of Package podman

From d20933df027fcaf5c51cbb1be9e5c9d334d73243 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Thu, 2 Apr 2026 15:06:37 +0200
Subject: [PATCH] add missing O_CLOEXEC to open calls

The go std os package to will always make sure to use O_CLOEXEC, however
in cases where we directly call unix.Open() we need to pass that flag
explicitly.

I looked at this as there was a report of a leaked fd on the pasta list,
though I am not sure this will address it.

But anyway doing this should be rather safe and avoid leaks into other
processes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 cmd/rootlessport/main.go             | 2 +-
 libpod/oci_conmon_attach_linux.go    | 2 +-
 pkg/pidhandle/pidhandle_linux.go     | 2 +-
 pkg/specgen/generate/config_linux.go | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/rootlessport/main.go b/cmd/rootlessport/main.go
index f60a321640c..9f203434680 100644
--- a/cmd/rootlessport/main.go
+++ b/cmd/rootlessport/main.go
@@ -202,7 +202,7 @@ outer:
 		_ = os.Remove(socketfile)
 		// workaround to bypass the 108 char socket path limit
 		// open the fd and use the path to the fd as bind argument
-		fd, err := unix.Open(socketDir, unix.O_PATH, 0)
+		fd, err := unix.Open(socketDir, unix.O_PATH|unix.O_CLOEXEC, 0)
 		if err != nil {
 			return err
 		}
diff --git a/libpod/oci_conmon_attach_linux.go b/libpod/oci_conmon_attach_linux.go
index 10435ee5e04..fb5a3d39359 100644
--- a/libpod/oci_conmon_attach_linux.go
+++ b/libpod/oci_conmon_attach_linux.go
@@ -10,7 +10,7 @@ import (
 )
 
 func openUnixSocket(path string) (*net.UnixConn, error) {
-	fd, err := unix.Open(path, unix.O_PATH, 0)
+	fd, err := unix.Open(path, unix.O_PATH|unix.O_CLOEXEC, 0)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/pidhandle/pidhandle_linux.go b/pkg/pidhandle/pidhandle_linux.go
index 2420ed86c41..6e0140069f3 100644
--- a/pkg/pidhandle/pidhandle_linux.go
+++ b/pkg/pidhandle/pidhandle_linux.go
@@ -118,7 +118,7 @@ func NewPIDHandleFromString(pid int, pidData string) (PIDHandle, error) {
 			return nil, err
 		}
 		defer unix.Close(fd)
-		pidfd, err := openByHandleAt(fd, fh, 0)
+		pidfd, err := openByHandleAt(fd, fh, unix.O_CLOEXEC)
 		if err != nil {
 			if err == unix.ESTALE {
 				h.normalHandle.pidData = noSuchProcessID
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 2a34eee9058..453d4357d67 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -153,7 +153,7 @@ func addDevice(g *generate.Generator, device string) error {
 	} else if src == "/dev/fuse" {
 		// if the user is asking for fuse inside the container
 		// make sure the module is loaded.
-		f, err := unix.Open(src, unix.O_RDONLY|unix.O_NONBLOCK, 0)
+		f, err := unix.Open(src, unix.O_RDONLY|unix.O_NONBLOCK|unix.O_CLOEXEC, 0)
 		if err == nil {
 			unix.Close(f)
 		}