conmon: Make all file descriptors CLOEXEC
We want to avoid inheriting these into the child. Doing so is both confusing for the child, and a potential security issue if the container has access to FDs that are from the outside of the container. Some of these are created after we fork for the child, so they are not technically necessary. However, its best to do this as we may change the code in the future and forget about this. Signed-off-by: Alexander Larsson <alexl@redhat.com>
This commit is contained in:
Alexander Larsson
parent
829ec7f351
commit
f3408cbb5c
1 changed files with 10 additions and 8 deletions
|
|
@ -348,7 +348,7 @@ static char *process_cgroup_subsystem_path(int pid, const char *subsystem) {
|
|||
}
|
||||
|
||||
_cleanup_fclose_ FILE *fp = NULL;
|
||||
fp = fopen(cgroups_file_path, "r");
|
||||
fp = fopen(cgroups_file_path, "re");
|
||||
if (fp == NULL) {
|
||||
nwarn("Failed to open cgroups file: %s", cgroups_file_path);
|
||||
return NULL;
|
||||
|
|
@ -482,10 +482,12 @@ int main(int argc, char *argv[])
|
|||
sync_pipe_fd = strtol(sync_pipe, &endptr, 10);
|
||||
if (errno != 0 || *endptr != '\0')
|
||||
pexit("unable to parse _OCI_SYNCPIPE");
|
||||
if (fcntl(sync_pipe_fd, F_SETFD, FD_CLOEXEC) == -1)
|
||||
pexit("unable to make _OCI_SYNCPIPE CLOEXEC");
|
||||
}
|
||||
|
||||
/* Open the log path file. */
|
||||
logfd = open(log_path, O_WRONLY | O_APPEND | O_CREAT);
|
||||
logfd = open(log_path, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC);
|
||||
if (logfd < 0)
|
||||
pexit("Failed to open log file");
|
||||
|
||||
|
|
@ -539,13 +541,13 @@ int main(int argc, char *argv[])
|
|||
* used anything else (and it wouldn't be a good idea to create a new
|
||||
* pty pair in the host).
|
||||
*/
|
||||
if (pipe(fds) < 0)
|
||||
if (pipe2(fds, O_CLOEXEC) < 0)
|
||||
pexit("Failed to create !terminal stdout pipe");
|
||||
|
||||
masterfd_stdout = fds[0];
|
||||
slavefd_stdout = fds[1];
|
||||
|
||||
if (pipe(fds) < 0)
|
||||
if (pipe2(fds, O_CLOEXEC) < 0)
|
||||
pexit("Failed to create !terminal stderr pipe");
|
||||
|
||||
masterfd_stderr = fds[0];
|
||||
|
|
@ -743,17 +745,17 @@ int main(int argc, char *argv[])
|
|||
bool oom_handling_enabled = true;
|
||||
char memory_cgroup_file_path[PATH_MAX];
|
||||
snprintf(memory_cgroup_file_path, PATH_MAX, "%s/cgroup.event_control", memory_cgroup_path);
|
||||
if ((cfd = open(memory_cgroup_file_path, O_WRONLY)) == -1) {
|
||||
if ((cfd = open(memory_cgroup_file_path, O_WRONLY | O_CLOEXEC)) == -1) {
|
||||
nwarn("Failed to open %s", memory_cgroup_file_path);
|
||||
oom_handling_enabled = false;
|
||||
}
|
||||
|
||||
if (oom_handling_enabled) {
|
||||
snprintf(memory_cgroup_file_path, PATH_MAX, "%s/memory.oom_control", memory_cgroup_path);
|
||||
if ((ofd = open(memory_cgroup_file_path, O_RDONLY)) == -1)
|
||||
if ((ofd = open(memory_cgroup_file_path, O_RDONLY | O_CLOEXEC)) == -1)
|
||||
pexit("Failed to open %s", memory_cgroup_file_path);
|
||||
|
||||
if ((efd = eventfd(0, 0)) == -1)
|
||||
if ((efd = eventfd(0, EFD_CLOEXEC)) == -1)
|
||||
pexit("Failed to create eventfd");
|
||||
|
||||
wb = snprintf(buf, BUF_SIZE, "%d %d", efd, ofd);
|
||||
|
|
@ -767,7 +769,7 @@ int main(int argc, char *argv[])
|
|||
* attach and other important things. Using epoll directly is just
|
||||
* really nasty.
|
||||
*/
|
||||
epfd = epoll_create(5);
|
||||
epfd = epoll_create1(EPOLL_CLOEXEC);
|
||||
if (epfd < 0)
|
||||
pexit("epoll_create");
|
||||
ev.events = EPOLLIN;
|
||||
|
|
|
|||
Loading…
Reference in a new issue