After #40422 _Py_closerange() assumes that close_range() closes all file descriptors even if it returns an error (other than ENOSYS):

    if (close_range(first, last, 0) == 0 || errno != ENOSYS) {
        /* Any errors encountered while closing file descriptors are ignored;
         * ENOSYS means no kernel support, though,
         * so we'll fallback to the other methods. */
    }
    else
    /* fallbacks */


This assumption can be wrong on Linux if a seccomp sandbox denies the underlying syscall, pretending that it returns EPERM or EACCES. In this case _Py_closerange() won't close any descriptors at all, which in the worst case can be a security issue.

I propose to fix this by falling back to other methods in case of *any* close_range() error. Note that fallbacks will not be triggered on any problems with closing individual file descriptors because close_range() is documented to ignore such errors on both Linux[1] and FreeBSD[2].

[1] https://man7.org/linux/man-pages/man2/close_range.2.html
[2] https://www.freebsd.org/cgi/man.cgi?query=close_range&sektion=2