On Fedora, SELinux complains about these open file descriptors when the
updown script invokes iptables. While it seems difficult to set the flag
on all file descriptors, this at least fixes those covered by the SELinux
policy.
As these two cases are in code executed while the daemon is still single
threaded, we avoid the use of atomic but not fully portable fdopen("e") or
open(O_CLOEXEC) calls.
Fixes #519.
#include <sys/utsname.h>
#include <unistd.h>
#include <getopt.h>
+#include <fcntl.h>
+#include <errno.h>
#include <hydra.h>
#include <daemon.h>
pidfile = fopen(PID_FILE, "w");
if (pidfile)
{
+ int fd;
+
+ fd = fileno(pidfile);
+ if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+ {
+ DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s",
+ strerror(errno));
+ }
ignore_result(fchown(fileno(pidfile),
lib->caps->get_uid(lib->caps),
lib->caps->get_gid(lib->caps)));
DBG1(DBG_LIB, "opening \"%s\" failed: %s", file, strerror(errno));
return FALSE;
}
+ if (fcntl(*fd, F_SETFD, FD_CLOEXEC) == -1)
+ {
+ DBG1(DBG_LIB, "setting FD_CLOEXEC for \"%s\" failed: %s",
+ file, strerror(errno));
+ }
return TRUE;
}
projects / thirdparty / strongswan.git / commitdiff
