Make sure new file descriptors have close-on-exec flag set on them in a race-free way (!3283) · Merge requests · GNOME / GLib

The source project of this merge request has been removed.

Maciej S. Szmigiero requested to merge (removed):cloexec-audit into main Feb 19, 2023

In many places Glib was already trying to get new file descriptors with the close-on-exec flag set in a race-free way, however quite a few sites remained where this wasn't being done - mostly in older code parts.

This MR is an attempt to rectify that and make Glib fully close-on-exec-safe where possible.

The current attempt to close all file descriptors by a g_spawn_* call without G_SPAWN_LEAVE_DESCRIPTORS_OPEN flag is not only rather hacky, it doesn't cover any code that wants to do fork () + exec () directly (including extra libraries used by a Glib consumer),

I've went through calls to the following functions in Glib code:

open () family,
fopen () family,
socket (),
socketpair (),
pipe () family,
accept (),
dup () family,
recvmsg ().

Converted most of these call sites to set close-on-exec flag in a race-free way. The remaining ones are either Windows-only or lie between fork () and exec () calls.

With this change Glib should be fully close-on-exec-safe on platforms that support the necessary system calls - this is true of pretty much every modern Linux system.

The MR has been divided into 8 individually described commits to make it easier to review.

Make sure new file descriptors have close-on-exec flag set on them in a race-free way

Merge request reports