treewide: Fix android-cloexec-* clang-tidy warnings, re-enable checks

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Makefile

@@ -180,13 +180,6 @@ pkgs: static
 # - readability-isolate-declaration
 #	Dubious value, would kill readability
 #
-# - android-cloexec-open
-# - android-cloexec-pipe
-# - android-cloexec-pipe2
-# - android-cloexec-epoll-create1
-# - android-cloexec-inotify-init1
-#	TODO: check, fix except for the few cases where we need to share fds
-#
 # - bugprone-narrowing-conversions
 # - cppcoreguidelines-narrowing-conversions
 #	TODO: nice to fix eventually
@@ -228,8 +221,6 @@ clang-tidy: $(wildcard *.c) $(wildcard *.h)
 	-llvm-include-order,\
 	-cppcoreguidelines-avoid-magic-numbers,\
 	-readability-isolate-declaration,\
-	-android-cloexec-open,-android-cloexec-pipe,-android-cloexec-pipe2,\
-	-android-cloexec-epoll-create1,-android-cloexec-inotify-init1,\
 	-bugprone-narrowing-conversions,\
 	-cppcoreguidelines-narrowing-conversions,\
 	-cppcoreguidelines-avoid-non-const-global-variables,\

conf.c

@@ -285,7 +285,7 @@ static void get_dns(struct ctx *c)
 	if (dns_set && dnss_set)
 		return;
 
-	if ((fd = open("/etc/resolv.conf", O_RDONLY)) < 0)
+	if ((fd = open("/etc/resolv.conf", O_RDONLY | O_CLOEXEC)) < 0)
 		goto out;
 
 	while (!(*buf = 0) && line_read(buf, BUFSIZ, fd)) {
@@ -406,13 +406,17 @@ static int conf_ns_opt(struct ctx *c,
 				continue;
 		}
 
+		/* Don't pass O_CLOEXEC here: ns_enter() needs those files */
 		if (!c->netns_only) {
 			if (*conf_userns)
+				/* NOLINTNEXTLINE(android-cloexec-open) */
 				ufd = open(conf_userns, O_RDONLY);
 			else if (*userns)
+				/* NOLINTNEXTLINE(android-cloexec-open) */
 				ufd = open(userns, O_RDONLY);
 		}
 
+		/* NOLINTNEXTLINE(android-cloexec-open) */
 		nfd = open(netns, O_RDONLY);
 
 		if (nfd == -1 || (ufd == -1 && !c->netns_only)) {

passt.c

@@ -202,7 +202,7 @@ static void check_root(void)
 	if (getuid() && geteuid())
 		return;
 
-	if ((fd = open("/proc/self/uid_map", O_RDONLY)) < 0)
+	if ((fd = open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0)
 		return;
 
 	if (read(fd, buf, BUFSIZ) > 0 &&
@@ -359,7 +359,7 @@ int main(int argc, char **argv)
 	if (!c.debug && (c.stderr || isatty(fileno(stdout))))
 		__openlog(log_name, LOG_PERROR, LOG_DAEMON);
 
-	c.epollfd = epoll_create1(0);
+	c.epollfd = epoll_create1(c.foreground ? O_CLOEXEC : 0);
 	if (c.epollfd == -1) {
 		perror("epoll_create1");
 		exit(EXIT_FAILURE);
@@ -405,11 +405,12 @@ int main(int argc, char **argv)
 	pcap_init(&c);
 
 	if (!c.foreground)
+		/* NOLINTNEXTLINE(android-cloexec-open): see __daemon() */
 		devnull_fd = open("/dev/null", O_RDWR);
 
 	if (*c.pid_file)
-		pidfile_fd = open(c.pid_file,
-				  O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
+		pidfile_fd = open(c.pid_file, O_CREAT | O_WRONLY | O_CLOEXEC,
+				  S_IRUSR | S_IWUSR);
 
 	if (sandbox(&c)) {
 		err("Failed to sandbox process, exiting\n");

pasta.c

@@ -78,6 +78,7 @@ void pasta_child_handler(int signal)
 static int pasta_wait_for_ns(void *arg)
 {
 	struct ctx *c = (struct ctx *)arg;
+	int flags = O_RDONLY | O_CLOEXEC;
 	char ns[PATH_MAX];
 
 	if (c->netns_only)
@@ -85,14 +86,14 @@ static int pasta_wait_for_ns(void *arg)
 
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
 	do
-		while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
+		while ((c->pasta_userns_fd = open(ns, flags)) < 0);
 	while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
 	       !close(c->pasta_userns_fd));
 
 netns:
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
 	do
-		while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
+		while ((c->pasta_netns_fd = open(ns, flags)) < 0);
 	while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
 	       !close(c->pasta_netns_fd));
 
@@ -126,23 +127,23 @@ static int pasta_setup_ns(void *arg)
 
 		snprintf(buf, BUFSIZ, "%i %i %i", 0, a->euid, 1);
 
-		fd = open("/proc/self/uid_map", O_WRONLY);
+		fd = open("/proc/self/uid_map", O_WRONLY | O_CLOEXEC);
 		if (write(fd, buf, strlen(buf)) < 0)
 			warn("Cannot set uid_map in namespace");
 		close(fd);
 
-		fd = open("/proc/self/setgroups", O_WRONLY);
+		fd = open("/proc/self/setgroups", O_WRONLY | O_CLOEXEC);
 		if (write(fd, "deny", sizeof("deny")) < 0)
 			warn("Cannot write to setgroups in namespace");
 		close(fd);
 
-		fd = open("/proc/self/gid_map", O_WRONLY);
+		fd = open("/proc/self/gid_map", O_WRONLY | O_CLOEXEC);
 		if (write(fd, buf, strlen(buf)) < 0)
 			warn("Cannot set gid_map in namespace");
 		close(fd);
 	}
 
-	fd = open("/proc/sys/net/ipv4/ping_group_range", O_WRONLY);
+	fd = open("/proc/sys/net/ipv4/ping_group_range", O_WRONLY | O_CLOEXEC);
 	if (write(fd, "0 0", strlen("0 0")) < 0)
 		warn("Cannot set ping_group_range, ICMP requests might fail");
 	close(fd);
@@ -231,13 +232,14 @@ void pasta_ns_conf(struct ctx *c)
  */
 int pasta_netns_quit_init(struct ctx *c)
 {
+	int flags = O_NONBLOCK | (c->foreground ? O_CLOEXEC : 0);
 	struct epoll_event ev = { .events = EPOLLIN };
 	int inotify_fd;
 
 	if (c->mode != MODE_PASTA || c->no_netns_quit || !*c->netns_base)
 		return -1;
 
-	if ((inotify_fd = inotify_init1(O_NONBLOCK)) < 0) {
+	if ((inotify_fd = inotify_init1(flags)) < 0) {
 		perror("inotify_init(): won't quit once netns is gone");
 		return -1;
 	}

pcap.c

@@ -170,6 +170,7 @@ fail:
  */
 void pcap_init(struct ctx *c)
 {
+	int flags = O_WRONLY | O_CREAT | O_TRUNC;
 	struct timeval tv;
 
 	if (pcap_fd != -1)
@@ -200,8 +201,8 @@ void pcap_init(struct ctx *c)
 		strncpy(c->pcap, name, PATH_MAX);
 	}
 
-	pcap_fd = open(c->pcap, O_WRONLY | O_CREAT | O_TRUNC,
-		       S_IRUSR | S_IWUSR);
+	flags |= c->foreground ? O_CLOEXEC : 0;
+	pcap_fd = open(c->pcap, flags, S_IRUSR | S_IWUSR);
 	if (pcap_fd == -1) {
 		perror("open");
 		return;

tap.c

@@ -875,12 +875,13 @@ static int tun_ns_fd = -1;
 static int tap_ns_tun(void *arg)
 {
 	struct ifreq ifr = { .ifr_flags = IFF_TAP | IFF_NO_PI };
+	int flags = O_RDWR | O_NONBLOCK | O_CLOEXEC;
 	struct ctx *c = (struct ctx *)arg;
 
 	strncpy(ifr.ifr_name, c->pasta_ifn, IFNAMSIZ);
 
 	if (ns_enter(c) ||
-	    (tun_ns_fd = open("/dev/net/tun", O_RDWR | O_NONBLOCK)) < 0 ||
+	    (tun_ns_fd = open("/dev/net/tun", flags)) < 0 ||
 	    ioctl(tun_ns_fd, TUNSETIFF, &ifr) ||
 	    !(c->pasta_ifi = if_nametoindex(c->pasta_ifn)))
 		tun_ns_fd = -1;

tcp_splice.c

@@ -370,8 +370,8 @@ static int tcp_splice_connect_finish(const struct ctx *c,
 	}
 
 	if (conn->pipe_a_b[0] < 0) {
-		if (pipe2(conn->pipe_a_b, O_NONBLOCK) ||
-		    pipe2(conn->pipe_b_a, O_NONBLOCK)) {
+		if (pipe2(conn->pipe_a_b, O_NONBLOCK | O_CLOEXEC) ||
+		    pipe2(conn->pipe_b_a, O_NONBLOCK | O_CLOEXEC)) {
 			conn_flag(c, conn, CLOSING);
 			return -EIO;
 		}
@@ -773,7 +773,7 @@ static void tcp_set_pipe_size(struct ctx *c)
 
 smaller:
 	for (i = 0; i < TCP_SPLICE_PIPE_POOL_SIZE * 2; i++) {
-		if (pipe2(probe_pipe[i], 0)) {
+		if (pipe2(probe_pipe[i], O_CLOEXEC)) {
 			i++;
 			break;
 		}
@@ -809,9 +809,9 @@ static void tcp_splice_pipe_refill(const struct ctx *c)
 	for (i = 0; i < TCP_SPLICE_PIPE_POOL_SIZE; i++) {
 		if (splice_pipe_pool[i][0][0] >= 0)
 			break;
-		if (pipe2(splice_pipe_pool[i][0], O_NONBLOCK))
+		if (pipe2(splice_pipe_pool[i][0], O_NONBLOCK | O_CLOEXEC))
 			continue;
-		if (pipe2(splice_pipe_pool[i][1], O_NONBLOCK)) {
+		if (pipe2(splice_pipe_pool[i][1], O_NONBLOCK | O_CLOEXEC)) {
 			close(splice_pipe_pool[i][1][0]);
 			close(splice_pipe_pool[i][1][1]);
 			continue;
@@ -832,7 +832,6 @@ void tcp_splice_init(struct ctx *c)
 {
 	memset(splice_pipe_pool, 0xff, sizeof(splice_pipe_pool));
 	tcp_set_pipe_size(c);
-	tcp_splice_pipe_refill(c);
 }
 
 /**

util.c

@@ -495,7 +495,7 @@ void procfs_scan_listen(struct ctx *c, uint8_t proto, int ip_version, int ns,
 
 	if (*fd != -1)
 		lseek(*fd, 0, SEEK_SET);
-	else if ((*fd = open(path, O_RDONLY)) < 0)
+	else if ((*fd = open(path, O_RDONLY | O_CLOEXEC)) < 0)
 		return;
 
 	*line = 0;