Re: bgpd more O_CLOEXEC

Thu, 08 Aug 2019 10:56:06 -0700 

On Thu, Aug 08, 2019 at 01:40:06PM +0200, Claudio Jeker wrote:
> Just use O_CLOEXEC or SOCK_CLOEXEC on everything. There is no reason to
> keep any kind of file descriptor over an exec call. At least this way
> I'm sure that no fds will leak into the childs.
>
> OK?

OK bluhm@

> Index: carp.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/carp.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 carp.c
> --- carp.c    24 Jan 2017 04:22:42 -0000      1.9
> +++ carp.c    8 Aug 2019 11:33:37 -0000
> @@ -108,7 +108,7 @@ carp_demote_get(char *group)
>       int                     s;
>       struct ifgroupreq       ifgr;
>
> -     if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
> +     if ((s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)) == -1) {
>               log_warn("carp_demote_get: socket");
>               return (-1);
>       }
> @@ -162,7 +162,7 @@ carp_demote_ioctl(char *group, int demot
>       int                     s, res;
>       struct ifgroupreq       ifgr;
>
> -     if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
> +     if ((s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)) == -1) {
>               log_warn("%s: socket", __func__);
>               return (-1);
>       }
> Index: control.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/control.c,v
> retrieving revision 1.97
> diff -u -p -r1.97 control.c
> --- control.c 27 May 2019 09:14:32 -0000      1.97
> +++ control.c 8 Aug 2019 11:33:37 -0000
> @@ -47,7 +47,7 @@ control_check(char *path)
>       sun.sun_family = AF_UNIX;
>       strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
>
> -     if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
> +     if ((fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) {
>               log_warn("%s: socket", __func__);
>               return (-1);
>       }
> Index: kroute.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
> retrieving revision 1.237
> diff -u -p -r1.237 kroute.c
> --- kroute.c  23 Jul 2019 06:26:44 -0000      1.237
> +++ kroute.c  8 Aug 2019 11:33:37 -0000
> @@ -2886,7 +2886,7 @@ get_mpe_config(const char *name, u_int *
>       *label = 0;
>       *rdomain = 0;
>
> -     s = socket(AF_INET, SOCK_DGRAM, 0);
> +     s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>       if (s == -1)
>               return (-1);
>
> Index: mrt.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v
> retrieving revision 1.99
> diff -u -p -r1.99 mrt.c
> --- mrt.c     24 Jul 2019 08:58:24 -0000      1.99
> +++ mrt.c     8 Aug 2019 11:33:38 -0000
> @@ -908,7 +908,7 @@ mrt_open(struct mrt *mrt, time_t now)
>       }
>
>       fd = open(MRT2MC(mrt)->file,
> -         O_WRONLY|O_NONBLOCK|O_CREAT|O_TRUNC, 0644);
> +         O_WRONLY|O_NONBLOCK|O_CREAT|O_TRUNC|O_CLOEXEC, 0644);
>       if (fd == -1) {
>               log_warn("mrt_open %s", MRT2MC(mrt)->file);
>               return (1);
> Index: pftable.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/pftable.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 pftable.c
> --- pftable.c 28 Jun 2019 13:32:47 -0000      1.13
> +++ pftable.c 8 Aug 2019 11:33:38 -0000
> @@ -63,7 +63,7 @@ pftable_change(struct pf_table *pft)
>       if (pft->naddrs == 0 || pft->what == 0)
>               return (0);
>
> -     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
> +     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
>               fatal("open(/dev/pf)");
>
>       bzero(&tio, sizeof(tio));
> @@ -90,7 +90,7 @@ pftable_clear(const char *name)
>  {
>       struct pfioc_table tio;
>
> -     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
> +     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
>               fatal("open(/dev/pf)");
>
>       bzero(&tio, sizeof(tio));
> @@ -111,7 +111,7 @@ pftable_exists(const char *name)
>       struct pfioc_table tio;
>       struct pfr_astats dummy;
>
> -     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR)) == -1))
> +     if (devpf == -1 && ((devpf = open("/dev/pf", O_RDWR|O_CLOEXEC)) == -1))
>               fatal("open(/dev/pf)");
>
>       bzero(&tio, sizeof(tio));

Reply via email to