mark newly opened fds as FD_CLOEXEC (close on exec)

(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index a250570628b91b6af88edb2156569dbff1e5fd1a..17b1754e69a99e31b3efd8b1a2d69013f0404ca3 100644 (file)
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -49,7 +49,7 @@ static void load_realms(void)
        int id;
        struct realmname *oldnm = NULL, *newnm = NULL;
 
-       fil = fopen(rfnm, "r");
+       fil = fopen(rfnm, "re");
        if (!fil) {
                rdberr = 1;
                return;

diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index e9a130fad34f3380339b19055dd02ce05e0a0b7d..10c3acfc5849c2efc2f6543716cb7163af9f87b9 100644 (file)
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -168,7 +168,7 @@ int main(int argc, char *argv[])
        }
 
        if (optind == argc - 1) {
-               in = fopen(argv[optind], "r");
+               in = fopen(argv[optind], "re");
                if (!in) {
                        fprintf(stderr, "Can't open %s: %s\n", argv[optind],
                                strerror(errno));

diff --git a/ip6tables-save.c b/ip6tables-save.c
index dc189e998f227fa1359f2311f5f7f9a95554cd19..c3b8ec0d31af2cb1bbc2de1174fc2ca771cc7013 100644 (file)
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -41,7 +41,7 @@ static int for_each_table(int (*func)(const char *tablename))
        FILE *procfile = NULL;
        char tablename[IP6T_TABLE_MAXNAMELEN+1];
 
-       procfile = fopen("/proc/net/ip6_tables_names", "r");
+       procfile = fopen("/proc/net/ip6_tables_names", "re");
        if (!procfile)
                return ret;
 

diff --git a/iptables-restore.c b/iptables-restore.c
index 31ce52bf4aec731d13f02ef3299c20d034d941d4..c2cc58c864fa469bfabbe9297d2a3b4e1b87b72b 100644 (file)
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -174,7 +174,7 @@ main(int argc, char *argv[])
        }
 
        if (optind == argc - 1) {
-               in = fopen(argv[optind], "r");
+               in = fopen(argv[optind], "re");
                if (!in) {
                        fprintf(stderr, "Can't open %s: %s\n", argv[optind],
                                strerror(errno));

diff --git a/iptables-save.c b/iptables-save.c
index 3bcf42277338ea294e4c8c82f032725f28088c0d..3e3ec43cfbeee15aef931ddaf49e647a75562885 100644 (file)
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -39,7 +39,7 @@ static int for_each_table(int (*func)(const char *tablename))
        FILE *procfile = NULL;
        char tablename[IPT_TABLE_MAXNAMELEN+1];
 
-       procfile = fopen("/proc/net/ip_tables_names", "r");
+       procfile = fopen("/proc/net/ip_tables_names", "re");
        if (!procfile)
                return ret;
 

diff --git a/iptables-xml.c b/iptables-xml.c
index 8d670565190cea68555a7a33ca76993675d99f2d..57c7486d496a7bbdfb4b08cf763b167aa6b08445 100644 (file)
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -651,7 +651,7 @@ main(int argc, char *argv[])
        }
 
        if (optind == argc - 1) {
-               in = fopen(argv[optind], "r");
+               in = fopen(argv[optind], "re");
                if (!in) {
                        fprintf(stderr, "Can't open %s: %s", argv[optind],
                                strerror(errno));

diff --git a/xtables.c b/xtables.c
index 2f00e3946eac8d23616112374a4580f1c4357d59..352963f48762e0b9bce572cf5ae364e0d0da23d5 100644 (file)
--- a/xtables.c
+++ b/xtables.c
@@ -300,6 +300,11 @@ static char *get_modprobe(void)
        procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
        if (procfile < 0)
                return NULL;
+       if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
+               fprintf(stderr, "Could not set close on exec: %s\n",
+                       strerror(errno));
+               exit(1);
+       }
 
        ret = malloc(PROCFILE_BUFSIZ);
        if (ret) {
@@ -697,6 +702,12 @@ static int compatible_revision(const char *name, uint8_t revision, int opt)
                exit(1);
        }
 
+       if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+               fprintf(stderr, "Could not set close on exec: %s\n",
+                       strerror(errno));
+               exit(1);
+       }
+
        xtables_load_ko(xtables_modprobe_program, true);
 
        strcpy(rev.name, name);