libebtc: Open the lockfile with O_CLOEXEC

Otherwise the fd will leak to subprocesses (e.g. modprobe). That's mostly benign, but it may trigger an SELinux denial when the modprobe process transitions to another domain. Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Ondrej Mosnacek <omosnace@redhat.com> 2021-02-17 22:30:23 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-02-17 23:57:31 +0100
commit: 46eb78ff358724f5addf14e45f2cfc31542ede3c (patch)
tree: 2e8cc777f4a7564e8167e0343c2d19b347b49185
parent: 7d00e58157bc61168a057cde91a6e5b54dca573b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libebtc.c b/libebtc.c
index 2a9ab87..1b058ef 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -144,7 +144,7 @@ static int lock_file()
 	int fd, try = 0;
 
 retry:
-	fd = open(LOCKFILE, O_CREAT, 00600);
+	fd = open(LOCKFILE, O_CREAT|O_CLOEXEC, 00600);
 	if (fd < 0) {
 		if (try == 1 || mkdir(dirname(pathbuf), 00700))
 			return -2;
author	Ondrej Mosnacek <omosnace@redhat.com>	2021-02-17 22:30:23 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-02-17 23:57:31 +0100
commit	46eb78ff358724f5addf14e45f2cfc31542ede3c (patch)
tree	2e8cc777f4a7564e8167e0343c2d19b347b49185
parent	7d00e58157bc61168a057cde91a6e5b54dca573b (diff)