Set CLOEXEC option to sockets
hostinet/socket.go: the Sentry doesn't spawn new processes, but it doesn't hurt to protect the socket from leaking. unet/unet.go: should be setting closing on exec. The FD is explicitly donated to children when needed. PiperOrigin-RevId: 200135682 Change-Id: Ia8a45ced1e00a19420c8611b12e7a8ee770f89cb
This commit is contained in:
parent
ab2c2575d6
commit
ea4a468fba
|
@ -193,7 +193,7 @@ func (s *socketOperations) Accept(t *kernel.Task, peerRequested bool, flags int,
|
|||
|
||||
// Conservatively ignore all flags specified by the application and add
|
||||
// SOCK_NONBLOCK since socketOperations requires it.
|
||||
fd, syscallErr := accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK)
|
||||
fd, syscallErr := accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC)
|
||||
if blocking {
|
||||
var ch chan struct{}
|
||||
for syscallErr == syserror.ErrWouldBlock {
|
||||
|
@ -207,7 +207,7 @@ func (s *socketOperations) Accept(t *kernel.Task, peerRequested bool, flags int,
|
|||
s.EventRegister(&e, waiter.EventIn)
|
||||
defer s.EventUnregister(&e)
|
||||
}
|
||||
fd, syscallErr = accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK)
|
||||
fd, syscallErr = accept4(s.fd, peerAddrPtr, peerAddrlenPtr, syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -545,7 +545,7 @@ func (p *socketProvider) Socket(t *kernel.Task, stypeflags unix.SockType, protoc
|
|||
// Conservatively ignore all flags specified by the application and add
|
||||
// SOCK_NONBLOCK since socketOperations requires it. Pass a protocol of 0
|
||||
// to simplify the syscall filters, since 0 and IPPROTO_* are equivalent.
|
||||
fd, err := syscall.Socket(p.family, stype|syscall.SOCK_NONBLOCK, 0)
|
||||
fd, err := syscall.Socket(p.family, stype|syscall.SOCK_NONBLOCK|syscall.SOCK_CLOEXEC, 0)
|
||||
if err != nil {
|
||||
return nil, syserr.FromError(err)
|
||||
}
|
||||
|
|
|
@ -201,7 +201,7 @@ func (s *Socket) enterFD() (int, bool) {
|
|||
// SocketPair creates a pair of connected sockets.
|
||||
func SocketPair(packet bool) (*Socket, *Socket, error) {
|
||||
// Make a new pair.
|
||||
fds, err := syscall.Socketpair(syscall.AF_UNIX, socketType(packet), 0)
|
||||
fds, err := syscall.Socketpair(syscall.AF_UNIX, socketType(packet)|syscall.SOCK_CLOEXEC, 0)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue