charon: Set CLOEXEC flag on daemon PID file and /dev/(u)random source FDs

On Fedora, SELinux complains about these open file descriptors when the updown script invokes iptables. While it seems difficult to set the flag on all file descriptors, this at least fixes those covered by the SELinux policy. As these two cases are in code executed while the daemon is still single threaded, we avoid the use of atomic but not fully portable fdopen("e") or open(O_CLOEXEC) calls. Fixes #519.
2014-06-24 14:43:38 +02:00 · 2014-06-24 14:43:38 +02:00 · 866514c70c
parent 6d4654b9f9
commit 866514c70c
2 changed files with 15 additions and 0 deletions
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@ -26,6 +26,8 @@
 #include <sys/utsname.h>
 #include <unistd.h>
 #include <getopt.h>
+#include <fcntl.h>
+#include <errno.h>

 #include <hydra.h>
 #include <daemon.h>
@ -232,6 +234,14 @@ static bool check_pidfile()
 	pidfile = fopen(PID_FILE, "w");
 	if (pidfile)
 	{
+		int fd;
+
+		fd = fileno(pidfile);
+		if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+		{
+			DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s",
+				 strerror(errno));
+		}
 		ignore_result(fchown(fileno(pidfile),
 							 lib->caps->get_uid(lib->caps),
 							 lib->caps->get_gid(lib->caps)));
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@ -89,6 +89,11 @@ static bool open_dev(char *file, int *fd)
 		DBG1(DBG_LIB, "opening \"%s\" failed: %s", file, strerror(errno));
 		return FALSE;
 	}
+	if (fcntl(*fd, F_SETFD, FD_CLOEXEC) == -1)
+	{
+		DBG1(DBG_LIB, "setting FD_CLOEXEC for \"%s\" failed: %s",
+			 file, strerror(errno));
+	}
 	return TRUE;
 }