aboutsummaryrefslogtreecommitdiffgithub
diff options
context:
space:
mode:
authorAustin Adams <git@austinjadams.com>2016-07-29 20:29:37 -0400
committerAustin Adams <git@austinjadams.com>2016-07-29 20:29:37 -0400
commitf8944320066dd22c7b71e8a9436e736d3a78e029 (patch)
tree08390f49c0764ab12ac63a4da444f4c245842c30
parent3f4f776e4cb7bf949de8d41e78ffe1252c46328f (diff)
downloadnsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.gz
nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.xz
Don't leak netns fd to exec()'d process
Pass O_CLOEXEC to open() to prevent the exec()'d process from inheriting the file descriptor of the netns in /var/run/netns. Example of current leaky behavior: $ nsdo foo ls -l /proc/self/fd/ total 0 lrwx------ 1 austin austin 64 Jul 29 20:44 0 -> /dev/pts/21 lrwx------ 1 austin austin 64 Jul 29 20:44 1 -> /dev/pts/21 lrwx------ 1 austin austin 64 Jul 29 20:44 2 -> /dev/pts/21 lr-x------ 1 austin austin 64 Jul 29 20:44 3 -> /run/netns/foo <-- ! lr-x------ 1 austin austin 64 Jul 29 20:44 4 -> /proc/12307/fd
-rw-r--r--nsdo.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/nsdo.c b/nsdo.c
index 7291641..4dc9fe6 100644
--- a/nsdo.c
+++ b/nsdo.c
@@ -165,7 +165,7 @@ int set_netns(char *ns) {
return 0;
}
- if ((nsfd = open(nspath, O_RDONLY)) == -1) {
+ if ((nsfd = open(nspath, O_RDONLY | O_CLOEXEC)) == -1) {
fprintf(stderr, PROGRAM ": open(\"%s\"): %s\n", nspath, strerror(errno));
return 0;
}