> Redhat still has not given a reason as to why this is needed. I believe: a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX) API bug (which of course can't be fixed...) b) not setting CLOEXEC on every fd is an application bug (with the exception of the specific few fd's you actually want inherited) c) iptables does occasionally fork/exec (to load modules), for example "/sbin/modprobe ip6_tables -q", but also for match/target revision compatibility checking, and when it does this it can call modprobe with additional opened descriptors (for example sockfd inside of compatible_revision isn't closed before fork/exec modprobe) - this is unclean, and could potentially cause security warnings (or even issues?) since iptables and modprobe have different contexts. [fc14]# ls -alZ `which iptables` lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables -> iptables-multi [fc14]# ls -alZ /sbin/iptables-multi -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi [fc14]# ls -alZ `which modprobe` -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe I'm not going to claim I fully understand the security implications of leaving the file descriptor open across exec, but there is clearly no reason to do so, hence the patch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
