Ensure that the setrans socket descriptor is marked close-on-exec. If supported, use the new SOCK_CLOEXEC flag when the socket is created, as per: http://udrepper.livejournal.com/20407.html Otherwise fall back to using fcntl after the socket has been created. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- Index: trunk/libselinux/src/setrans_client.c =================================================================== --- trunk/libselinux/src/setrans_client.c (revision 2936) +++ trunk/libselinux/src/setrans_client.c (working copy) @@ -13,7 +13,7 @@ #include <errno.h> #include <stdlib.h> #include <netdb.h> - +#include <fcntl.h> #include <stdio.h> #include <string.h> #include <ctype.h> @@ -42,11 +42,17 @@ { struct sockaddr_un addr; int fd; - - fd = socket(PF_UNIX, SOCK_STREAM, 0); - if (fd < 0) { +#ifdef SOCK_CLOEXEC + fd = socket(PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); + if (fd < 0 && errno == EINVAL) +#endif + { + fd = socket(PF_UNIX, SOCK_STREAM, 0); + if (fd >= 0) + fcntl(fd, F_SETFD, FD_CLOEXEC); + } + if (fd < 0) return -1; - } memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
