diff options
| author | Richard W.M. Jones <rjones@redhat.com> | 2012-03-14 19:30:46 +0000 |
|---|---|---|
| committer | Richard W.M. Jones <rjones@redhat.com> | 2012-03-14 19:30:46 +0000 |
| commit | 606732d02e678161ff433040a21d54fc2ea8bb43 (patch) | |
| tree | 7549558e51d1dd45a45e71ce219084e368eb845d /daemon | |
| parent | 13e7a1b400b7e2a5e9335d25205b09e74c89d858 (diff) | |
| download | libguestfs-606732d02e678161ff433040a21d54fc2ea8bb43.tar.gz libguestfs-606732d02e678161ff433040a21d54fc2ea8bb43.tar.xz libguestfs-606732d02e678161ff433040a21d54fc2ea8bb43.zip | |
Use O_CLOEXEC / SOCK_CLOEXEC for almost all file descriptors.
The presumption is that all file descriptors should be created with
the close-on-exec flag set. The only exception are file descriptors
that we want passed through to exec'd subprocesses (mainly pipes and
stdin/stdout/stderr).
For open calls, we pass O_CLOEXEC as an extra flag, eg:
fd = open ("foo", O_RDONLY|O_CLOEXEC);
This is a Linux-ism, but using a macro we can easily make it portable.
For sockets, similarly:
sock = socket (..., SOCK_STREAM|SOCK_CLOEXEC, ...);
For accepted sockets, we use the Linux accept4 system call which
allows flags to be supplied, but we use the Gnulib 'accept4' module to
make this portable.
For dup, dup2, we use the Linux dup3 system call, and the Gnulib
modules 'dup3' and 'cloexec'.
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/9p.c | 2 | ||||
| -rw-r--r-- | daemon/checksum.c | 4 | ||||
| -rw-r--r-- | daemon/copy.c | 6 | ||||
| -rw-r--r-- | daemon/daemon.h | 4 | ||||
| -rw-r--r-- | daemon/dd.c | 8 | ||||
| -rw-r--r-- | daemon/debug.c | 6 | ||||
| -rw-r--r-- | daemon/devsparts.c | 2 | ||||
| -rw-r--r-- | daemon/fallocate.c | 2 | ||||
| -rw-r--r-- | daemon/file.c | 20 | ||||
| -rw-r--r-- | daemon/grep.c | 2 | ||||
| -rw-r--r-- | daemon/guestfsd.c | 12 | ||||
| -rw-r--r-- | daemon/headtail.c | 2 | ||||
| -rw-r--r-- | daemon/hexdump.c | 2 | ||||
| -rw-r--r-- | daemon/initrd.c | 2 | ||||
| -rw-r--r-- | daemon/link.c | 2 | ||||
| -rw-r--r-- | daemon/realpath.c | 8 | ||||
| -rw-r--r-- | daemon/stat.c | 2 | ||||
| -rw-r--r-- | daemon/strings.c | 2 | ||||
| -rw-r--r-- | daemon/truncate.c | 2 | ||||
| -rw-r--r-- | daemon/upload.c | 8 | ||||
| -rw-r--r-- | daemon/wc.c | 2 | ||||
| -rw-r--r-- | daemon/zero.c | 8 |
22 files changed, 57 insertions, 51 deletions
diff --git a/daemon/9p.c b/daemon/9p.c index 6243919d..8c0eeb68 100644 --- a/daemon/9p.c +++ b/daemon/9p.c @@ -125,7 +125,7 @@ read_whole_file (const char *filename) size_t alloc = 0, size = 0; int fd; - fd = open (filename, O_RDONLY); + fd = open (filename, O_RDONLY|O_CLOEXEC); if (fd == -1) { perror (filename); return NULL; diff --git a/daemon/checksum.c b/daemon/checksum.c index be460f8a..2cc4a2b6 100644 --- a/daemon/checksum.c +++ b/daemon/checksum.c @@ -95,7 +95,7 @@ do_checksum (const char *csumtype, const char *path) int fd; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -111,7 +111,7 @@ do_checksum_device (const char *csumtype, const char *device) { int fd; - fd = open (device, O_RDONLY); + fd = open (device, O_RDONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("%s", device); return NULL; diff --git a/daemon/copy.c b/daemon/copy.c index 4bfbfa96..e895fbd8 100644 --- a/daemon/copy.c +++ b/daemon/copy.c @@ -29,8 +29,8 @@ #include "daemon.h" #include "actions.h" -#define DEST_FILE_FLAGS O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0666 -#define DEST_DEVICE_FLAGS O_WRONLY, 0 +#define DEST_FILE_FLAGS O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, 0666 +#define DEST_DEVICE_FLAGS O_WRONLY|O_CLOEXEC, 0 /* NB: We cheat slightly by assuming that optargs_bitmask is * compatible for all four of the calls. This is true provided they @@ -78,7 +78,7 @@ copy (const char *src, const char *src_display, size = -1; /* Open source and destination. */ - src_fd = open (src, O_RDONLY); + src_fd = open (src, O_RDONLY|O_CLOEXEC); if (src_fd == -1) { reply_with_perror ("%s", src_display); return -1; diff --git a/daemon/daemon.h b/daemon/daemon.h index f3e77da5..b7c1fd8e 100644 --- a/daemon/daemon.h +++ b/daemon/daemon.h @@ -30,6 +30,10 @@ #include "guestfs_protocol.h" +#ifndef O_CLOEXEC +#define O_CLOEXEC 0 +#endif + /*-- in guestfsd.c --*/ extern int verbose; diff --git a/daemon/dd.c b/daemon/dd.c index a98f7ae0..8bc4aaba 100644 --- a/daemon/dd.c +++ b/daemon/dd.c @@ -79,14 +79,14 @@ do_copy_size (const char *src, const char *dest, int64_t ssize) int src_fd, dest_fd; if (STRPREFIX (src, "/dev/")) - src_fd = open (src, O_RDONLY); + src_fd = open (src, O_RDONLY | O_CLOEXEC); else { buf = sysroot_path (src); if (!buf) { reply_with_perror ("malloc"); return -1; } - src_fd = open (buf, O_RDONLY); + src_fd = open (buf, O_RDONLY | O_CLOEXEC); free (buf); } if (src_fd == -1) { @@ -95,7 +95,7 @@ do_copy_size (const char *src, const char *dest, int64_t ssize) } if (STRPREFIX (dest, "/dev/")) - dest_fd = open (dest, O_WRONLY); + dest_fd = open (dest, O_WRONLY | O_CLOEXEC); else { buf = sysroot_path (dest); if (!buf) { @@ -103,7 +103,7 @@ do_copy_size (const char *src, const char *dest, int64_t ssize) close (src_fd); return -1; } - dest_fd = open (buf, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0666); + dest_fd = open (buf, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, 0666); free (buf); } if (dest_fd == -1) { diff --git a/daemon/debug.c b/daemon/debug.c index 4e8d6625..8be48ff8 100644 --- a/daemon/debug.c +++ b/daemon/debug.c @@ -466,7 +466,7 @@ debug_core_pattern (const char *subcmd, size_t argc, char *const *const argv) const size_t pattern_len = strlen(pattern); #define CORE_PATTERN "/proc/sys/kernel/core_pattern" - int fd = open (CORE_PATTERN, O_WRONLY); + int fd = open (CORE_PATTERN, O_WRONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("open: " CORE_PATTERN); return NULL; @@ -532,7 +532,7 @@ debug_qtrace (const char *subcmd, size_t argc, char *const *const argv) return NULL; /* Note this doesn't do device name translation or check this is a device. */ - int fd = open (argv[0], O_RDONLY | O_DIRECT); + int fd = open (argv[0], O_RDONLY|O_DIRECT|O_CLOEXEC); if (fd == -1) { reply_with_perror ("qtrace: %s: open", argv[0]); return NULL; @@ -602,7 +602,7 @@ do_debug_upload (const char *filename, int mode) /* Not chrooted - this command lets you upload a file to anywhere * in the appliance. */ - int fd = open (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, mode); + int fd = open (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, mode); if (fd == -1) { int err = errno; diff --git a/daemon/devsparts.c b/daemon/devsparts.c index 6fb00978..1848c4f9 100644 --- a/daemon/devsparts.c +++ b/daemon/devsparts.c @@ -68,7 +68,7 @@ foreach_block_device (block_dev_func_t func) * CD-ROM device even though we didn't request it. Try to * detect this by seeing if the device contains media. */ - int fd = open (dev_path, O_RDONLY); + int fd = open (dev_path, O_RDONLY|O_CLOEXEC); if (fd == -1) { perror (dev_path); continue; diff --git a/daemon/fallocate.c b/daemon/fallocate.c index bc744f59..f98babfb 100644 --- a/daemon/fallocate.c +++ b/daemon/fallocate.c @@ -45,7 +45,7 @@ do_fallocate64 (const char *path, int64_t len) int fd; CHROOT_IN; - fd = open (path, O_WRONLY | O_CREAT | O_TRUNC | O_NOCTTY, 0666); + fd = open (path, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, 0666); CHROOT_OUT; if (fd == -1) { reply_with_perror ("open: %s", path); diff --git a/daemon/file.c b/daemon/file.c index ef7b50c0..cdf6b1bc 100644 --- a/daemon/file.c +++ b/daemon/file.c @@ -62,7 +62,7 @@ do_touch (const char *path) } CHROOT_IN; - fd = open (path, O_WRONLY | O_CREAT | O_NOCTTY, 0666); + fd = open (path, O_WRONLY|O_CREAT|O_NOCTTY|O_CLOEXEC, 0666); CHROOT_OUT; if (fd == -1) { @@ -94,7 +94,7 @@ do_cat (const char *path) char *buf, *buf2; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -305,7 +305,7 @@ do_write_file (const char *path, const char *content, int size) } CHROOT_IN; - fd = open (path, O_WRONLY | O_TRUNC | O_CREAT | O_NOCTTY, 0666); + fd = open (path, O_WRONLY|O_TRUNC|O_CREAT|O_NOCTTY|O_CLOEXEC, 0666); CHROOT_OUT; if (fd == -1) { @@ -333,7 +333,7 @@ do_write (const char *path, const char *content, size_t size) int fd; CHROOT_IN; - fd = open (path, O_WRONLY | O_TRUNC | O_CREAT | O_NOCTTY, 0666); + fd = open (path, O_WRONLY|O_TRUNC|O_CREAT|O_NOCTTY|O_CLOEXEC, 0666); CHROOT_OUT; if (fd == -1) { @@ -361,7 +361,7 @@ do_write_append (const char *path, const char *content, size_t size) int fd; CHROOT_IN; - fd = open (path, O_WRONLY | O_APPEND | O_CREAT | O_NOCTTY, 0666); + fd = open (path, O_WRONLY|O_APPEND|O_CREAT|O_NOCTTY|O_CLOEXEC, 0666); CHROOT_OUT; if (fd == -1) { @@ -391,7 +391,7 @@ do_read_file (const char *path, size_t *size_r) char *r; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -506,7 +506,7 @@ do_pread (const char *path, int count, int64_t offset, size_t *size_r) int fd; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -520,7 +520,7 @@ do_pread (const char *path, int count, int64_t offset, size_t *size_r) char * do_pread_device (const char *device, int count, int64_t offset, size_t *size_r) { - int fd = open (device, O_RDONLY); + int fd = open (device, O_RDONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("open: %s", device); return NULL; @@ -561,7 +561,7 @@ do_pwrite (const char *path, const char *content, size_t size, int64_t offset) } CHROOT_IN; - fd = open (path, O_WRONLY); + fd = open (path, O_WRONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -581,7 +581,7 @@ do_pwrite_device (const char *device, const char *content, size_t size, return -1; } - int fd = open (device, O_WRONLY); + int fd = open (device, O_WRONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("open: %s", device); return -1; diff --git a/daemon/grep.c b/daemon/grep.c index 3562f369..285c48ec 100644 --- a/daemon/grep.c +++ b/daemon/grep.c @@ -36,7 +36,7 @@ grep (const char *prog, const char *flag, const char *regex, const char *path) char **lines; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/guestfsd.c b/daemon/guestfsd.c index ac89a214..a7c111b0 100644 --- a/daemon/guestfsd.c +++ b/daemon/guestfsd.c @@ -247,7 +247,7 @@ main (int argc, char *argv[]) copy_lvm (); /* Connect to virtio-serial channel. */ - int sock = open (VIRTIO_SERIAL_CHANNEL, O_RDWR | O_CLOEXEC); + int sock = open (VIRTIO_SERIAL_CHANNEL, O_RDWR|O_CLOEXEC); if (sock == -1) { fprintf (stderr, "\n" @@ -292,7 +292,7 @@ main (int argc, char *argv[]) static char * read_cmdline (void) { - int fd = open ("/proc/cmdline", O_RDONLY); + int fd = open ("/proc/cmdline", O_RDONLY|O_CLOEXEC); if (fd == -1) { perror ("/proc/cmdline"); return NULL; @@ -713,7 +713,7 @@ commandrvf (char **stdoutput, char **stderror, int flags, close (stdin_fd[1]); } else { /* Set stdin to /dev/null (ignore failure) */ - ignore_value (open ("/dev/null", O_RDONLY)); + ignore_value (open ("/dev/null", O_RDONLY|O_CLOEXEC)); } close (so_fd[0]); close (se_fd[0]); @@ -1079,7 +1079,7 @@ device_name_translation (char *device) { int fd; - fd = open (device, O_RDONLY); + fd = open (device, O_RDONLY|O_CLOEXEC); if (fd >= 0) { close_ok: close (fd); @@ -1094,12 +1094,12 @@ device_name_translation (char *device) return -1; device[5] = 'h'; /* /dev/hd (old IDE driver) */ - fd = open (device, O_RDONLY); + fd = open (device, O_RDONLY|O_CLOEXEC); if (fd >= 0) goto close_ok; device[5] = 'v'; /* /dev/vd (for virtio devices) */ - fd = open (device, O_RDONLY); + fd = open (device, O_RDONLY|O_CLOEXEC); if (fd >= 0) goto close_ok; diff --git a/daemon/headtail.c b/daemon/headtail.c index 83f3f5c0..ce59d174 100644 --- a/daemon/headtail.c +++ b/daemon/headtail.c @@ -36,7 +36,7 @@ headtail (const char *prog, const char *flag, const char *n, const char *path) char **lines; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/hexdump.c b/daemon/hexdump.c index 36986135..7fa5fbd8 100644 --- a/daemon/hexdump.c +++ b/daemon/hexdump.c @@ -34,7 +34,7 @@ do_hexdump (const char *path) char *out, *err; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/initrd.c b/daemon/initrd.c index c1ef2d1c..2ded14a6 100644 --- a/daemon/initrd.c +++ b/daemon/initrd.c @@ -126,7 +126,7 @@ do_initrd_cat (const char *path, const char *filename, size_t *size_r) struct stat statbuf; int fd; - fd = open (fullpath, O_RDONLY); + fd = open (fullpath, O_RDONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("open: %s:%s", path, filename); rmdir (tmpdir); diff --git a/daemon/link.c b/daemon/link.c index a8162a29..c4cdfe1d 100644 --- a/daemon/link.c +++ b/daemon/link.c @@ -63,7 +63,7 @@ do_readlinklist (const char *path, char *const *names) DECLARE_STRINGSBUF (ret); CHROOT_IN; - fd_cwd = open (path, O_RDONLY | O_DIRECTORY); + fd_cwd = open (path, O_RDONLY|O_DIRECTORY|O_CLOEXEC); CHROOT_OUT; if (fd_cwd == -1) { diff --git a/daemon/realpath.c b/daemon/realpath.c index 126ef193..2d657a4c 100644 --- a/daemon/realpath.c +++ b/daemon/realpath.c @@ -27,6 +27,8 @@ #include <sys/types.h> #include <dirent.h> +#include "cloexec.h" + #include "daemon.h" #include "optgroups.h" #include "actions.h" @@ -88,7 +90,7 @@ do_case_sensitive_path (const char *path) /* 'fd_cwd' here is a surrogate for the current working directory, so * that we don't have to actually call chdir(2). */ - fd_cwd = open (sysroot, O_RDONLY | O_DIRECTORY); + fd_cwd = open (sysroot, O_RDONLY|O_DIRECTORY|O_CLOEXEC); if (fd_cwd == -1) { reply_with_perror ("%s", sysroot); return NULL; @@ -141,7 +143,7 @@ do_case_sensitive_path (const char *path) next += i; /* Is it a directory? Try going into it. */ - int fd2 = openat (fd_cwd, name, O_RDONLY | O_DIRECTORY); + int fd2 = openat (fd_cwd, name, O_RDONLY|O_DIRECTORY|O_CLOEXEC); int err = errno; close (fd_cwd); fd_cwd = fd2; @@ -195,7 +197,7 @@ find_path_element (int fd_cwd, char *name, size_t *name_len_ret) DIR *dir; struct dirent *d; - fd2 = dup (fd_cwd); /* because closedir will close it */ + fd2 = dup_cloexec (fd_cwd); /* because closedir will close it */ if (fd2 == -1) { reply_with_perror ("dup"); return -1; diff --git a/daemon/stat.c b/daemon/stat.c index 22592bb2..f0055518 100644 --- a/daemon/stat.c +++ b/daemon/stat.c @@ -147,7 +147,7 @@ do_lstatlist (const char *path, char *const *names) } CHROOT_IN; - path_fd = open (path, O_RDONLY | O_DIRECTORY); + path_fd = open (path, O_RDONLY|O_DIRECTORY|O_CLOEXEC); CHROOT_OUT; if (path_fd == -1) { diff --git a/daemon/strings.c b/daemon/strings.c index d94ac44e..847b45c8 100644 --- a/daemon/strings.c +++ b/daemon/strings.c @@ -41,7 +41,7 @@ do_strings_e (const char *encoding, const char *path) } CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/truncate.c b/daemon/truncate.c index 28d9ceb2..0c3731c8 100644 --- a/daemon/truncate.c +++ b/daemon/truncate.c @@ -35,7 +35,7 @@ do_truncate_size (const char *path, int64_t size) int r; CHROOT_IN; - fd = open (path, O_WRONLY | O_NOCTTY); + fd = open (path, O_WRONLY|O_NOCTTY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/upload.c b/daemon/upload.c index 2f3e5b5b..f96148b4 100644 --- a/daemon/upload.c +++ b/daemon/upload.c @@ -114,7 +114,7 @@ upload (const char *filename, int flags, int64_t offset) int do_upload (const char *filename) { - return upload (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0); + return upload (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, 0); } /* Has one FileIn parameter. */ @@ -126,7 +126,7 @@ do_upload_offset (const char *filename, int64_t offset) return -1; } - return upload (filename, O_WRONLY|O_CREAT|O_NOCTTY, offset); + return upload (filename, O_WRONLY|O_CREAT|O_NOCTTY|O_CLOEXEC, offset); } /* Has one FileOut parameter. */ @@ -139,7 +139,7 @@ do_download (const char *filename) is_dev = STRPREFIX (filename, "/dev/"); if (!is_dev) CHROOT_IN; - fd = open (filename, O_RDONLY); + fd = open (filename, O_RDONLY|O_CLOEXEC); if (!is_dev) CHROOT_OUT; if (fd == -1) { reply_with_perror ("%s", filename); @@ -222,7 +222,7 @@ do_download_offset (const char *filename, int64_t offset, int64_t size) is_dev = STRPREFIX (filename, "/dev/"); if (!is_dev) CHROOT_IN; - fd = open (filename, O_RDONLY); + fd = open (filename, O_RDONLY|O_CLOEXEC); if (!is_dev) CHROOT_OUT; if (fd == -1) { reply_with_perror ("%s", filename); diff --git a/daemon/wc.c b/daemon/wc.c index 5d35559c..f2753469 100644 --- a/daemon/wc.c +++ b/daemon/wc.c @@ -35,7 +35,7 @@ wc (const char *flag, const char *path) int fd, flags, r; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { diff --git a/daemon/zero.c b/daemon/zero.c index 14ae7ddf..c45088cd 100644 --- a/daemon/zero.c +++ b/daemon/zero.c @@ -38,7 +38,7 @@ do_zero (const char *device) int fd; size_t i, offset; - fd = open (device, O_RDWR); + fd = open (device, O_RDWR|O_CLOEXEC); if (fd == -1) { reply_with_perror ("%s", device); return -1; @@ -105,7 +105,7 @@ do_zero_device (const char *device) return -1; uint64_t size = (uint64_t) ssize; - int fd = open (device, O_RDWR); + int fd = open (device, O_RDWR|O_CLOEXEC); if (fd == -1) { reply_with_perror ("%s", device); return -1; @@ -164,7 +164,7 @@ do_is_zero (const char *path) ssize_t r; CHROOT_IN; - fd = open (path, O_RDONLY); + fd = open (path, O_RDONLY|O_CLOEXEC); CHROOT_OUT; if (fd == -1) { @@ -200,7 +200,7 @@ do_is_zero_device (const char *device) char buf[1024*1024]; ssize_t r; - fd = open (device, O_RDONLY); + fd = open (device, O_RDONLY|O_CLOEXEC); if (fd == -1) { reply_with_perror ("open: %s", device); return -1; |