src: use O_CLOEXEC with pipes

Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe · Dec 1, 2023 · c9014f8 · c9014f8
1 parent 3ad89be
commit c9014f8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -2719,7 +2719,7 @@ libcrun_container_run (libcrun_context_t *context, libcrun_container_t *containe
       return ret;
     }
 
-  ret = pipe (container_ret_status);
+  ret = pipe2 (container_ret_status, O_CLOEXEC);
   if (UNLIKELY (ret < 0))
     return crun_make_error (err, errno, "pipe");
   pipefd0 = container_ret_status[0];
@@ -2834,7 +2834,7 @@ libcrun_container_create (libcrun_context_t *context, libcrun_container_t *conta
       return ret;
     }
 
-  ret = pipe (container_ready_pipe);
+  ret = pipe2 (container_ready_pipe, O_CLOEXEC);
   if (UNLIKELY (ret < 0))
     return crun_make_error (err, errno, "pipe");
   pipefd0 = container_ready_pipe[0];
@@ -3543,7 +3543,7 @@ libcrun_container_exec_with_options (libcrun_context_t *context, const char *id,
   if (UNLIKELY (ret < 0))
     return ret;
 
-  ret = pipe (container_ret_status);
+  ret = pipe2 (container_ret_status, O_CLOEXEC);
   if (UNLIKELY (ret < 0))
     return crun_make_error (err, errno, "pipe");
   pipefd0 = container_ret_status[0];

diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
@@ -1513,6 +1513,18 @@ format_default_id_mapping (char **ret, uid_t container_id, uid_t host_uid, uid_t
   return written;
 }
 
+static int
+unset_cloexec_flag (int fd)
+{
+  int flags = fcntl (fd, F_GETFD);
+  if (flags == -1)
+    return -1;
+
+  flags &= ~FD_CLOEXEC;
+
+  return fcntl (fd, F_SETFD, flags);
+}
+
 static void __attribute__ ((__noreturn__))
 run_process_child (char *path, char **args, const char *cwd, char **envp, int pipe_r,
                    int pipe_w, int out_fd, int err_fd)
@@ -1540,6 +1552,11 @@ run_process_child (char *path, char **args, const char *cwd, char **envp, int pi
   dup2 (out_fd >= 0 ? out_fd : dev_null_fd, 1);
   dup2 (err_fd >= 0 ? err_fd : dev_null_fd, 2);
 
+  if (out_fd >= 0)
+    unset_cloexec_flag (1);
+  if (err_fd >= 0)
+    unset_cloexec_flag (2);
+
   if (dev_null_fd >= 0)
     TEMP_FAILURE_RETRY (close (dev_null_fd));
   if (out_fd >= 0)
@@ -1573,7 +1590,7 @@ run_process_with_stdin_timeout_envp (char *path, char **args, const char *cwd, i
 
   sigemptyset (&mask);
 
-  ret = pipe (stdin_pipe);
+  ret = pipe2 (stdin_pipe, O_CLOEXEC);
   if (UNLIKELY (ret < 0))
     return crun_make_error (err, errno, "pipe");
   pipe_r = stdin_pipe[0];