[Libguestfs] [PATCH 2/4] launch: appliance: Set FD_CLOEXEC flag on console socket.

From: "Richard W.M. Jones" <rjones(a)redhat.com&gt; The earlier (pipe-based) code never set this flag, but that was a bug, potentially allowing the file descriptor to be leaked to subprocesses. Set the FD_CLOEXEC flag, but also ensure it is cleared in the child process just before qemu is exec'd (otherwise qemu would not have a console). --- src/launch-appliance.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/launch-appliance.c b/src/launch-appliance.c index 4016d61..30c139e 100644 --- a/src/launch-appliance.c +++ b/src/launch-appliance.c @@ -33,6 +33,7 @@ #include <pcre.h> +#include "cloexec.h" #include "ignore-value.h" #include "guestfs.h" @@ -235,7 +236,7 @@ launch_appliance (guestfs_h *g, const char *arg) } if (!g->direct) { - if (socketpair (AF_LOCAL, SOCK_STREAM, 0, sv) == -1) { + if (socketpair (AF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) { perrorf (g, "socketpair"); goto cleanup0; } @@ -484,6 +485,12 @@ launch_appliance (guestfs_h *g, const char *arg) close (1); close (sv[0]); + /* We set the FD_CLOEXEC flag on the socket above, but now (in + * the child) it's safe to unset this flag so qemu can use the + * socket. + */ + set_cloexec_flag (sv[1], 0); + /* Stdin. */ if (dup (sv[1]) == -1) { dup_failed: -- 1.8.1.4