Oh, sorry, I did actually send a patch with nice comments, but apparently I ended up missing the mailing list in the cc list. From: Maciej Żenczykowski <maze@xxxxxxxxxx> This is iptables-1.4.11-cloexec.patch from Fedora 18 iptables source rpm, in particular: http://kojipkgs.fedoraproject.org/packages/iptables/1.4.12.2/4.fc18/src/iptables-1.4.12.2-4.fc18.src.rpm Reasoning: On an example Fedora 15 system: $ ls -alZ /sbin/ip{,6}tables* /sbin/modprobe lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/ip6tables -> ip6tables-multi -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/ip6tables-multi lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/ip6tables-restore -> ip6tables-multi lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/ip6tables-save -> ip6tables-multi lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables -> iptables-multi -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables-restore -> iptables-multi lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables-save -> iptables-multi -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe You will note that the iptables binaries and the modprobe binaries differ in the SELinux security context 'type'. Since ip{,6}tables may manually fork/exec modprobe to load modules (not everything relies on kernel module autoloading), it may trigger a SELinux security context transition. It is desirable to not have any unexpectedly open file descriptors leak across this security boundary - this may just generate needless monitoring/auditing noise (especially in extremely hardened environs). It's also arguably just generally good programming practice to mark all file descripters as close on exec if you are ever going to exec (on an API level this really should have been the default state of any new file descriptor). In order to prevent races between file descriptor creation and exec in multi-threaded programs, newer linux kernels now support creating sockets as close on exec right from the initial syscall. Fortunately we are not multi-threaded, and thus this race condition does not matter, and hence we do not need to implement the complex logic of "try socket(domain, type | SOCK_CLOEXEC, protocol), if that failed use normal socket() system call and set FD_CLOEXEC flag manually via fcntl" which is necessary to maintain desired backwards compatibility with older pre-2.6.27 kernels. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
