diff options
| author | Maciej Żenczykowski <maze@google.com> | 2012-03-21 00:52:00 +0000 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-23 11:24:30 +0100 |
| commit | c0aa38e22e8a09fcb1898ad0e042eaf6314d2d42 (patch) | |
| tree | 6c4df30f78f66235cb610b018f4dbf8a5cee1621 | |
| parent | 61b8f7ecb64b3b6fe04d2a6ad9598f66e42ceea8 (diff) | |
src: mark newly opened fds as FD_CLOEXEC (close on exec)
By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.
Fedora 18 iptables source includes this change.
Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."
Signed-off-by: Maciej enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libxt_set.h | 7 | ||||
| -rw-r--r-- | libiptc/libiptc.c | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h index 4ac84fa9..47c3f5b6 100644 --- a/extensions/libxt_set.h +++ b/extensions/libxt_set.h @@ -2,6 +2,7 @@ #define _LIBXT_SET_H #include <unistd.h> +#include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <errno.h> @@ -23,6 +24,12 @@ get_version(unsigned *version) xtables_error(OTHER_PROBLEM, "Can't open socket to ipset.\n"); + if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { + xtables_error(OTHER_PROBLEM, + "Could not set close on exec: %s\n", + strerror(errno)); + } + req_version.op = IP_SET_OP_VERSION; res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size); if (res != 0) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 13e41d52..63965e73 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -29,6 +29,8 @@ * - performance work: speedup initial ruleset parsing. * - sponsored by ComX Networks A/S (http://www.comx.dk/) */ +#include <unistd.h> +#include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <stdbool.h> @@ -1316,6 +1318,12 @@ TC_INIT(const char *tablename) if (sockfd < 0) return NULL; + if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { + fprintf(stderr, "Could not set close on exec: %s\n", + strerror(errno)); + abort(); + } + retry: s = sizeof(info); |