fix: close namespace fd after Setns in joinSandboxNetNs

[Atishyy27]

Description

Fixes file descriptor leak in joinSandboxNetNs() by adding defer unix.Close(fd) immediately after opening the namespace file descriptor.

Problem

The function opens a file descriptor to the network namespace but never closes it. Since Kill() returns normally (no exec happens), the O_CLOEXEC flag doesn't help. The fd stays open through the rest of delete --force (Delete() + ExecuteHooks("Poststop")), keeping the namespace reference alive after the VMM is already dead.

Solution

Add defer unix.Close(fd) right after the unix.Open() call and error check. This follows the same pattern used in:

• vishvananda/netns
• runc

Closing the fd after Setns is safe and won't pull the thread out of the namespace.

Related issues

• Fixes Namespace fd not closed after Setns in joinSandboxNetNs #673

How was this tested?

Development environment is Windows, so local build/test was not possible (urunc requires Linux syscalls). The fix follows established patterns from vishvananda/netns and runc. CI tests will validate on Linux.

LLM usage

Claude 3.7 Sonnet (via claude.ai) was used to:

• Analyze the issue and identify the fix
• Guide through the contribution process
• Help format the commit message and PR description

Checklist

• I have read the contribution guide.
• The linter passes locally (make lint). (Unable to test on Windows)
• The e2e tests of at least one tool pass locally. (Unable to test on Windows)
• If LLMs were used: I have read the llm policy.

[netlify]

✅ Deploy Preview for urunc canceled.

Name	Link
🔨 Latest commit	dd25f51
🔍 Latest deploy log	https://app.netlify.com/projects/urunc/deploys/6a055ee3dcee2b0008bf86a7

[cmainas]

Duplicate with #610 and #634

[Atishyy27]

Closing as duplicate