From 4dbce7c85c563dcdae467b2427a85de12f707d41 Mon Sep 17 00:00:00 2001
From: lifubang <lifubang@acmcoder.com>
Date: Tue, 18 Nov 2025 09:57:17 +0000
Subject: [PATCH] gopathrs: close the fd after dup in openat2

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c1c2a539afea30fcfdd8982c33c72e4f5dce2cbf)
(cherry picked from commit 1eaadd6f23dd2bb710b1030728d3475995df8fc1)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 CHANGELOG.md                 | 2 ++
 pathrs-lite/openat2_linux.go | 1 +
 2 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d4ff66..dc5eb82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   denies `openat2(2)` then we would return that error rather than falling back
   to the `O_PATH` resolver. To resolve this issue, we no longer cache the
   result if `openat2(2)` was successful, only if there was an error.
+- A file descriptor leak in our `openat2` wrapper (when doing the necessary
+  `dup` for `RESOLVE_IN_ROOT`) has been removed.
 
 ## [0.5.1] - 2025-10-31 ##
 
diff --git a/pathrs-lite/openat2_linux.go b/pathrs-lite/openat2_linux.go
index 937bc43..dbbb88c 100644
--- a/pathrs-lite/openat2_linux.go
+++ b/pathrs-lite/openat2_linux.go
@@ -41,6 +41,7 @@ func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) {
 			if err != nil {
 				return nil, err
 			}
+			_ = file.Close()
 			file = newFile
 		}
 	}