Prevent leaking of machport/proc/signal fds across execve()

2025-02-17 02:38:02 +00:00 · 2017-07-13 20:12:22 +02:00 · 2017-07-13 20:12:22 +02:00 · f411d4553d
commit f411d4553d
parent 22005641d9
3 changed files with 5 additions and 0 deletions
--- a/src/linux/machport.c
+++ b/src/linux/machport.c
@ -87,6 +87,8 @@ evfilt_machport_knote_create(struct filter *filt, struct knote *kn)
        return (-1);
    }

+    fcntl(kn->kdata.kn_dupfd, F_SETFD, FD_CLOEXEC);
+
    if (epoll_ctl(kn->kn_epollfd, EPOLL_CTL_ADD, kn->kdata.kn_dupfd, &ev) < 0) {
        dbg_printf("epoll_ctl(2): %s", strerror(errno));
        return (-1);
--- a/src/linux/proc.c
+++ b/src/linux/proc.c
@ -131,6 +131,8 @@ evfilt_proc_knote_create(struct filter *filt, struct knote *kn)
 		kn->kdata.kn_dupfd = lkm_call(NR_evproc_create, &args);
 		if (kn->kdata.kn_dupfd == -1)
 			dbg_printf("evproc_create() failed: %s\n", strerror(errno));
+
+		fcntl(kn->kdata.kn_dupfd, F_SETFD, FD_CLOEXEC);
 	}

 	kn->kev.fflags &= ~NOTE_PASSINGFD;
--- a/src/linux/signal.c
+++ b/src/linux/signal.c
@ -100,6 +100,7 @@ signalfd_create(int epfd, void *ptr, int signum)
        dbg_perror("signalfd(2)");
        goto errout;
    }
+    fcntl(sigfd, F_SETFD, FD_CLOEXEC);

    /* Block the signal handler from being invoked */
    if (sigprocmask(SIG_BLOCK, &sigmask, NULL) < 0) {