diff options
author | Austin Adams <git@austinjadams.com> | 2016-07-29 20:29:37 -0400 |
---|---|---|
committer | Austin Adams <git@austinjadams.com> | 2016-07-29 20:29:37 -0400 |
commit | f8944320066dd22c7b71e8a9436e736d3a78e029 (patch) | |
tree | 08390f49c0764ab12ac63a4da444f4c245842c30 | |
parent | 3f4f776e4cb7bf949de8d41e78ffe1252c46328f (diff) | |
download | nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.gz nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.xz |
Don't leak netns fd to exec()'d process
Pass O_CLOEXEC to open() to prevent the exec()'d process from inheriting
the file descriptor of the netns in /var/run/netns.
Example of current leaky behavior:
$ nsdo foo ls -l /proc/self/fd/
total 0
lrwx------ 1 austin austin 64 Jul 29 20:44 0 -> /dev/pts/21
lrwx------ 1 austin austin 64 Jul 29 20:44 1 -> /dev/pts/21
lrwx------ 1 austin austin 64 Jul 29 20:44 2 -> /dev/pts/21
lr-x------ 1 austin austin 64 Jul 29 20:44 3 -> /run/netns/foo <-- !
lr-x------ 1 austin austin 64 Jul 29 20:44 4 -> /proc/12307/fd
-rw-r--r-- | nsdo.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -165,7 +165,7 @@ int set_netns(char *ns) { return 0; } - if ((nsfd = open(nspath, O_RDONLY)) == -1) { + if ((nsfd = open(nspath, O_RDONLY | O_CLOEXEC)) == -1) { fprintf(stderr, PROGRAM ": open(\"%s\"): %s\n", nspath, strerror(errno)); return 0; } |