Use SOCK_CLOEXEC/O_CLOEXEC where available

No need for the explicit fcntl() call, request the behaviour when
opening the descriptor.

One fcntl() call setting FD_CLOEXEC remains in extensions/libxt_bpf.c,
the indirect syscall seems not to support passing the flag directly.

Reported-by: Gaurav Gupta <g.gupta@samsung.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1104
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 597bf7ebe575a1e74184b5bee21ff91653ca3f94..685bfab95559715cdef7437e29ca24e61dc30e5a 100644 (file)
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -10,7 +10,7 @@
 static int
 get_version(unsigned *version)
 {
-       int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+       int res, sockfd = socket(AF_INET, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
        struct ip_set_req_version req_version;
        socklen_t size = sizeof(req_version);
        
@@ -18,12 +18,6 @@ get_version(unsigned *version)
                xtables_error(OTHER_PROBLEM,
                              "Can't open socket to ipset.\n");
 
-       if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
-               xtables_error(OTHER_PROBLEM,
-                             "Could not set close on exec: %s\n",
-                             strerror(errno));
-       }
-
        req_version.op = IP_SET_OP_VERSION;
        res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
        if (res != 0)

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 29ff356f2324e7a58cb372999dd9fa3bee8b2dce..e475063367c26c3ec53c75ff50a0e25950751995 100644 (file)
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1318,16 +1318,10 @@ retry:
                return NULL;
        }
 
-       sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
+       sockfd = socket(TC_AF, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
        if (sockfd < 0)
                return NULL;
 
-       if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
-               fprintf(stderr, "Could not set close on exec: %s\n",
-                       strerror(errno));
-               abort();
-       }
-
        s = sizeof(info);
 
        strcpy(info.name, tablename);

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index e3e444acbbaa26c019ee93eff9c47e6c48dd367d..ba9ceaeb3da4186e97ac8a16531a618b401f3232 100644 (file)
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -481,14 +481,9 @@ static char *get_modprobe(void)
        char *ret;
        int count;
 
-       procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
+       procfile = open(PROC_SYS_MODPROBE, O_RDONLY | O_CLOEXEC);
        if (procfile < 0)
                return NULL;
-       if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
-               fprintf(stderr, "Could not set close on exec: %s\n",
-                       strerror(errno));
-               exit(1);
-       }
 
        ret = malloc(PATH_MAX);
        if (ret) {
@@ -1023,7 +1018,7 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
        socklen_t s = sizeof(rev);
        int max_rev, sockfd;
 
-       sockfd = socket(afinfo->family, SOCK_RAW, IPPROTO_RAW);
+       sockfd = socket(afinfo->family, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
        if (sockfd < 0) {
                if (errno == EPERM) {
                        /* revision 0 is always supported. */
@@ -1039,12 +1034,6 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
                exit(1);
        }
 
-       if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
-               fprintf(stderr, "Could not set close on exec: %s\n",
-                       strerror(errno));
-               exit(1);
-       }
-
        xtables_load_ko(xtables_modprobe_program, true);
 
        strncpy(rev.name, name, XT_EXTENSION_MAXNAMELEN - 1);