Don't unnecessarily avoid CLOEXEC flags

There are several places in the passt code where we have lint overrides
because we're not adding CLOEXEC flags to open or other operations.
Comments suggest this is because it's before we fork() into the background
but we'll need those file descriptors after we're in the background.

However, as the name suggests CLOEXEC closes on exec(), not on fork().  The
only place we exec() is either super early invoke the avx2 version of the
binary, or when we start a shell in pasta mode, which certainly *doesn't*
require the fds in question.

Add the CLOEXEC flag in those places, and remove the lint overrides.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
David Gibson 2022-08-23 16:31:51 +10:00 committed by Stefano Brivio
parent 42a60735e1
commit 60ffc5b6cb
3 changed files with 6 additions and 12 deletions

10
conf.c
View file

@ -562,18 +562,14 @@ static int conf_ns_opt(struct ctx *c,
continue; continue;
} }
/* Don't pass O_CLOEXEC here: ns_enter() needs those files */
if (!c->netns_only) { if (!c->netns_only) {
if (*conf_userns) if (*conf_userns)
/* NOLINTNEXTLINE(android-cloexec-open) */ ufd = open(conf_userns, O_RDONLY | O_CLOEXEC);
ufd = open(conf_userns, O_RDONLY);
else if (*userns) else if (*userns)
/* NOLINTNEXTLINE(android-cloexec-open) */ ufd = open(userns, O_RDONLY | O_CLOEXEC);
ufd = open(userns, O_RDONLY);
} }
/* NOLINTNEXTLINE(android-cloexec-open) */ nfd = open(netns, O_RDONLY | O_CLOEXEC);
nfd = open(netns, O_RDONLY);
if (nfd == -1 || (ufd == -1 && !c->netns_only)) { if (nfd == -1 || (ufd == -1 && !c->netns_only)) {
if (nfd >= 0) if (nfd >= 0)

View file

@ -329,8 +329,7 @@ int main(int argc, char **argv)
__setlogmask(LOG_MASK(LOG_EMERG)); __setlogmask(LOG_MASK(LOG_EMERG));
/* NOLINTNEXTLINE(android-cloexec-epoll-create1): forking in a moment */ c.epollfd = epoll_create1(EPOLL_CLOEXEC);
c.epollfd = epoll_create1(0);
if (c.epollfd == -1) { if (c.epollfd == -1) {
perror("epoll_create1"); perror("epoll_create1");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@ -381,8 +380,7 @@ int main(int argc, char **argv)
pcap_init(&c); pcap_init(&c);
if (!c.foreground) { if (!c.foreground) {
/* NOLINTNEXTLINE(android-cloexec-open): see __daemon() */ if ((devnull_fd = open("/dev/null", O_RDWR | O_CLOEXEC)) < 0) {
if ((devnull_fd = open("/dev/null", O_RDWR)) < 0) {
perror("/dev/null open"); perror("/dev/null open");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }

View file

@ -223,7 +223,7 @@ void pasta_ns_conf(struct ctx *c)
*/ */
int pasta_netns_quit_init(struct ctx *c) int pasta_netns_quit_init(struct ctx *c)
{ {
int flags = O_NONBLOCK | (c->foreground ? O_CLOEXEC : 0); int flags = O_NONBLOCK | O_CLOEXEC;
struct epoll_event ev = { .events = EPOLLIN }; struct epoll_event ev = { .events = EPOLLIN };
int inotify_fd; int inotify_fd;