[ebtables PATCH] Open the lockfile with O_CLOEXEC

[ebtables PATCH] Open the lockfile with O_CLOEXEC

[Ondrej Mosnacek]

Otherwise the fd will leak to subprocesses (e.g. modprobe). That's
mostly benign, but it may trigger an SELinux denial when the modprobe
process transitions to another domain.

Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 libebtc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libebtc.c b/libebtc.c
index 2a9ab87..1b058ef 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -144,7 +144,7 @@ static int lock_file()
 	int fd, try = 0;
 
 retry:
-	fd = open(LOCKFILE, O_CREAT, 00600);
+	fd = open(LOCKFILE, O_CREAT|O_CLOEXEC, 00600);
 	if (fd < 0) {
 		if (try == 1 || mkdir(dirname(pathbuf), 00700))
 			return -2;
-- 
2.29.2

Re: [ebtables PATCH] Open the lockfile with O_CLOEXEC

[Pablo Neira Ayuso]

On Wed, Feb 17, 2021 at 10:30:23PM +0100, Ondrej Mosnacek wrote:
> Otherwise the fd will leak to subprocesses (e.g. modprobe). That's
> mostly benign, but it may trigger an SELinux denial when the modprobe
> process transitions to another domain.

Applied, thanks.