02/03: services: shepherd: Install O_CLOEXEC variant of 'call-with-input

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/03: services: shepherd: Install O_CLOEXEC variant of 'call-with-input

From:	guix-commits
Subject:	02/03: services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & co.
Date:	Mon, 12 Sep 2022 18:34:28 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit 66fdaf3677e5f7833a02096a2bcb1e9653efbb16
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Sep 12 14:29:45 2022 +0200

    services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & 
co.
    
    Fixes a bug introduced with the Shepherd 0.9.2 upgrade in commit
    1ba0e38267c9ff8bb476285091be6e297bbf136e whereby files opened by, say,
    the 'start' method of 'urandom-seed', could leak into the execution
    environment of some other service--e.g., 'term-tty4'.
    
    * gnu/services/shepherd.scm (shepherd-configuration-file)[config]:
    Override 'call-with-input-file' and 'call-with-output-file'.
---
 gnu/services/shepherd.scm | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index a8f6db9ce2..61f759a19d 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -344,6 +344,31 @@ as shepherd package."
           (use-modules (srfi srfi-34)
                        (system repl error-handling))
 
+          (define (call-with-file file flags proc)
+            (let ((port #f))
+              (dynamic-wind
+                (lambda ()
+                  (set! port (open file flags)))
+                (lambda ()
+                  (proc port))
+                (lambda ()
+                  (close-port port)
+                  (set! port #f)))))
+
+          ;; There's code run from shepherd that uses 'call-with-input-file' &
+          ;; co.--e.g., the 'urandom-seed' service.  Starting from Shepherd
+          ;; 0.9.2, users need to make sure not to leak non-close-on-exec file
+          ;; descriptors to child processes.  To address that, replace the
+          ;; standard bindings with O_CLOEXEC variants.
+          (set! call-with-input-file
+                (lambda (file proc)
+                  (call-with-file file (logior O_RDONLY O_CLOEXEC)
+                                  proc)))
+          (set! call-with-output-file
+                (lambda (file proc)
+                  (call-with-file file (logior O_WRONLY O_CREAT O_CLOEXEC)
+                                  proc)))
+
           ;; Specify the default environment visible to all the services.
           ;; Without this statement, all the environment variables of PID 1
           ;; are inherited by child services.

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (631d893023 -> 491dd62b38), guix-commits, 2022/09/12
- 01/03: services: secret-service: Inherit from the original 'guix-configuration'., guix-commits, 2022/09/12
- 02/03: services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & co., guix-commits <=
- 03/03: secret-service: Mark sockets as SOCK_CLOEXEC., guix-commits, 2022/09/12

Prev by Date: branch master updated (631d893023 -> 491dd62b38)
Next by Date: 03/03: secret-service: Mark sockets as SOCK_CLOEXEC.
Previous by thread: 01/03: services: secret-service: Inherit from the original 'guix-configuration'.
Next by thread: 03/03: secret-service: Mark sockets as SOCK_CLOEXEC.
Index(es):
- Date
- Thread