hooks: use cloexec everywhere

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c
index 4a4e974052af4afaaa0f3ecbee4a8ac23822f29b..df139e052a444da086b3fefeba4ceea3249fc54d 100644 (file)
--- a/hooks/unmount-namespace.c
+++ b/hooks/unmount-namespace.c
@@ -45,7 +45,7 @@
 #endif
 
 #ifndef O_PATH
-#define O_PATH      010000000
+#define O_PATH 010000000
 #endif
 
 /* Define setns() if missing from the C library */
@@ -110,13 +110,13 @@ static int read_mounts(int procfd, struct mount **mp, size_t *countp) {
        *mp = NULL;
        *countp = 0;
 
-       fd = openat(procfd, "self/mounts", O_RDONLY);
+       fd = openat(procfd, "self/mounts", O_RDONLY | O_CLOEXEC);
        if (fd < 0) {
                free(mounts);
                return 0;
        }
 
-       mf = fdopen(fd, "r");
+       mf = fdopen(fd, "re");
        if (!mf) {
                int error = errno;
                close(fd);
@@ -188,14 +188,14 @@ int main(int argc, char **argv) {
        /* Open a handle to /proc on the host as we need to access /proc/self/mounts
         * and the container's /proc doesn't contain our /self. See read_mounts().
         */
-       procfd = open("/proc", O_RDONLY | O_DIRECTORY | O_PATH);
+       procfd = open("/proc", O_RDONLY | O_DIRECTORY | O_PATH | O_CLOEXEC);
        if (procfd < 0) {
                fprintf(stderr, "%s: failed to open /proc: %s\n", argv[0], strerror(errno));
                return 4;
        }
 
        /* Open the mount namespace and enter it. */
-       ctmntfd = open(mntns, O_RDONLY);
+       ctmntfd = open(mntns, O_RDONLY | O_CLOEXEC);
        if (ctmntfd < 0) {
                fprintf(stderr, "%s: failed to open mount namespace: %s\n",
                        argv[0], strerror(errno));