Use O_CLOEXEC / SOCK_CLOEXEC for almost all file descriptors.

The presumption is that all file descriptors should be created with
the close-on-exec flag set.  The only exception are file descriptors
that we want passed through to exec'd subprocesses (mainly pipes and
stdin/stdout/stderr).

For open calls, we pass O_CLOEXEC as an extra flag, eg:

  fd = open ("foo", O_RDONLY|O_CLOEXEC);

This is a Linux-ism, but using a macro we can easily make it portable.

For sockets, similarly:

  sock = socket (..., SOCK_STREAM|SOCK_CLOEXEC, ...);

For accepted sockets, we use the Linux accept4 system call which
allows flags to be supplied, but we use the Gnulib 'accept4' module to
make this portable.

For dup, dup2, we use the Linux dup3 system call, and the Gnulib
modules 'dup3' and 'cloexec'.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/appliance.c b/src/appliance.c
index 9d51d3dc..e42bec45 100644
--- a/src/appliance.c
+++ b/src/appliance.c
@@ -379,7 +379,7 @@ check_for_cached_appliance (guestfs_h *g,
   garbage_collect_appliances (cachedir);
 
   /* Try to open and acquire a lock on the checksum file. */
-  int fd = open (filename, O_RDONLY);
+  int fd = open (filename, O_RDONLY|O_CLOEXEC);
   if (fd == -1)
     return 0;
 #ifdef HAVE_FUTIMENS
@@ -497,7 +497,7 @@ build_supermin_appliance (guestfs_h *g,
   /* Open and acquire write lock on checksum file.  The file might
    * not exist, in which case we want to create it.
    */
-  int fd = open (filename, O_WRONLY|O_CREAT, 0755);
+  int fd = open (filename, O_WRONLY|O_CREAT|O_NOCTTY|O_CLOEXEC, 0755);
   if (fd == -1) {
     perrorf (g, "open: %s", filename);
     guestfs___remove_tmpdir (tmpcd);