smcv
commented
3 years ago Not a maintainer, but this looks good to me.
For a bit more context: not doing this breaks the ability to run commands on the host or in a sub-sandbox that are expected to signal readiness by closing a pipe. For example if you ran flatpak-spawn --host --forward-fd=3 -- dbus-daemon --print-address=3 and waited for the pipe passed as fd 3 to close. Because flatpak-spawn doesn't close the fds, even after the command run remotely (dbus-daemon in this case) has closed its copy of fd 3, the caller will not see EOF on the other end of the pipe.
This change is based on an equivalent fix in Steam's pressure-vessel, which contains code derived from Flatpak and flatpak-spawn. (Older source code is here, newer source code will appear here.)
alexlarsson
g_unix_fd_list_append() duplicates the given FD, so we need to close our copy, otherwise it might be left indefinitely open.
Also, as soon as we send them over D-Bus, we need to unref the FD list to avoid keeping them open.