[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/21: file-systems: Open files with O_CLOEXEC.
From: |
guix-commits |
Subject: |
06/21: file-systems: Open files with O_CLOEXEC. |
Date: |
Thu, 8 Sep 2022 10:24:07 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit e05f7c55d78b90062aad26d8badc689ea72fe88b
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Sep 8 14:30:19 2022 +0200
file-systems: Open files with O_CLOEXEC.
Since this code is run from PID 1, this ensures file descriptors to
sensitive files and devices are not accidentally leaked to
sub-processes.
* gnu/build/file-systems.scm (call-with-input-file): New procedure.
(mount-file-system): Use 'close-fdes' + 'open-fdes'.
---
gnu/build/file-systems.scm | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index b9d46c9350..0ed5dc5671 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -98,6 +98,18 @@ standard input is /dev/null."
system*/console)
program args))
+(define (call-with-input-file file proc)
+ "Like 'call-with-input-file', but pass O_CLOEXEC."
+ (let ((port #f))
+ (dynamic-wind
+ (lambda ()
+ (set! port (open file (logior O_RDONLY O_CLOEXEC))))
+ (lambda ()
+ (proc port))
+ (lambda ()
+ (close-port port)
+ (set! port #f)))))
+
(define (bind-mount source target)
"Bind-mount SOURCE at TARGET."
(mount source target "" MS_BIND))
@@ -1183,7 +1195,8 @@ corresponds to the symbols listed in FLAGS."
(not (file-is-directory? source)))
(unless (file-exists? target)
(mkdir-p (dirname target))
- (call-with-output-file target (const #t)))
+ (close-fdes
+ (open-fdes target (logior O_WRONLY O_CREAT O_CLOEXEC))))
(mkdir-p target))
(cond
- 08/21: gnu: Add man-pages-posix., (continued)
- 08/21: gnu: Add man-pages-posix., guix-commits, 2022/09/08
- 10/21: gnu: Add mimalloc., guix-commits, 2022/09/08
- 14/21: gnu: Add texlive-latex-lastpage., guix-commits, 2022/09/08
- 12/21: gnu: podman: Use G-expressions., guix-commits, 2022/09/08
- 09/21: gnu: man-pages: Update to new style., guix-commits, 2022/09/08
- 19/21: gnu: dragon-drop: Update to 1.2.0., guix-commits, 2022/09/08
- 21/21: services: agetty-service-type: Add missing dash., guix-commits, 2022/09/08
- 03/21: search-paths: Tweak $SSL_CERT_DIR comment., guix-commits, 2022/09/08
- 17/21: gnu: Add texlive-latex-totcount., guix-commits, 2022/09/08
- 20/21: gnu: strawberry: Update to 1.0.9., guix-commits, 2022/09/08
- 06/21: file-systems: Open files with O_CLOEXEC.,
guix-commits <=
- 04/21: import: gnome: Reject version strings such as "43.alpha"., guix-commits, 2022/09/08
- 05/21: syscalls: Avoid repeated calls to 'syscall->procedure'., guix-commits, 2022/09/08
- 13/21: gnu: podman: Update to 4.2.0., guix-commits, 2022/09/08
- 11/21: gnu: Add solvespace., guix-commits, 2022/09/08
- 07/21: gnu: zsh-autopair., guix-commits, 2022/09/08
- 15/21: gnu: Add texlive-latex-tabto-ltx., guix-commits, 2022/09/08
- 16/21: gnu: Add texlive-generic-soul., guix-commits, 2022/09/08
- 18/21: gnu: flatpak: Update to 1.14.0., guix-commits, 2022/09/08