Don't leak netns fd to exec()'d process

Pass O_CLOEXEC to open() to prevent the exec()'d process from inheriting the file descriptor of the netns in /var/run/netns. Example of current leaky behavior: $ nsdo foo ls -l /proc/self/fd/ total 0 lrwx------ 1 austin austin 64 Jul 29 20:44 0 -> /dev/pts/21 lrwx------ 1 austin austin 64 Jul 29 20:44 1 -> /dev/pts/21 lrwx------ 1 austin austin 64 Jul 29 20:44 2 -> /dev/pts/21 lr-x------ 1 austin austin 64 Jul 29 20:44 3 -> /run/netns/foo <-- ! lr-x------ 1 austin austin 64 Jul 29 20:44 4 -> /proc/12307/fd
author: Austin Adams <git@austinjadams.com> 2016-07-29 20:29:37 -0400
committer: Austin Adams <git@austinjadams.com> 2016-07-29 20:29:37 -0400
commit: f8944320066dd22c7b71e8a9436e736d3a78e029 (patch)
tree: 08390f49c0764ab12ac63a4da444f4c245842c30
parent: 3f4f776e4cb7bf949de8d41e78ffe1252c46328f (diff)
download: nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.gz
nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/nsdo.c b/nsdo.c
index 7291641..4dc9fe6 100644
--- a/nsdo.c
+++ b/nsdo.c
@@ -165,7 +165,7 @@ int set_netns(char *ns) {
         return 0;
     }
 
-    if ((nsfd = open(nspath, O_RDONLY)) == -1) {
+    if ((nsfd = open(nspath, O_RDONLY | O_CLOEXEC)) == -1) {
         fprintf(stderr, PROGRAM ": open(\"%s\"): %s\n", nspath, strerror(errno));
         return 0;
     }
author	Austin Adams <git@austinjadams.com>	2016-07-29 20:29:37 -0400
committer	Austin Adams <git@austinjadams.com>	2016-07-29 20:29:37 -0400
commit	f8944320066dd22c7b71e8a9436e736d3a78e029 (patch)
tree	08390f49c0764ab12ac63a4da444f4c245842c30
parent	3f4f776e4cb7bf949de8d41e78ffe1252c46328f (diff)
download	nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.gz nsdo-f8944320066dd22c7b71e8a9436e736d3a78e029.tar.xz