* [ebtables PATCH] Open the lockfile with O_CLOEXEC
@ 2021-02-17 21:30 Ondrej Mosnacek
2021-02-17 22:59 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Ondrej Mosnacek @ 2021-02-17 21:30 UTC (permalink / raw)
To: netfilter-devel
Otherwise the fd will leak to subprocesses (e.g. modprobe). That's
mostly benign, but it may trigger an SELinux denial when the modprobe
process transitions to another domain.
Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libebtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libebtc.c b/libebtc.c
index 2a9ab87..1b058ef 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -144,7 +144,7 @@ static int lock_file()
int fd, try = 0;
retry:
- fd = open(LOCKFILE, O_CREAT, 00600);
+ fd = open(LOCKFILE, O_CREAT|O_CLOEXEC, 00600);
if (fd < 0) {
if (try == 1 || mkdir(dirname(pathbuf), 00700))
return -2;
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [ebtables PATCH] Open the lockfile with O_CLOEXEC
2021-02-17 21:30 [ebtables PATCH] Open the lockfile with O_CLOEXEC Ondrej Mosnacek
@ 2021-02-17 22:59 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-02-17 22:59 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: netfilter-devel
On Wed, Feb 17, 2021 at 10:30:23PM +0100, Ondrej Mosnacek wrote:
> Otherwise the fd will leak to subprocesses (e.g. modprobe). That's
> mostly benign, but it may trigger an SELinux denial when the modprobe
> process transitions to another domain.
Applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-17 23:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-17 21:30 [ebtables PATCH] Open the lockfile with O_CLOEXEC Ondrej Mosnacek
2021-02-17 22:59 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.