aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2022-09-08 14:30:19 +0200
committerLudovic Courtès <ludo@gnu.org>2022-09-08 16:22:21 +0200
commite05f7c55d78b90062aad26d8badc689ea72fe88b (patch)
tree0957e51f72037f1928877517355f5013efe96f14
parent8f53630f2f11a77e2b6ec2058d0626651286bf95 (diff)
downloadguix-e05f7c55d78b90062aad26d8badc689ea72fe88b.tar.gz
guix-e05f7c55d78b90062aad26d8badc689ea72fe88b.zip
file-systems: Open files with O_CLOEXEC.
Since this code is run from PID 1, this ensures file descriptors to sensitive files and devices are not accidentally leaked to sub-processes. * gnu/build/file-systems.scm (call-with-input-file): New procedure. (mount-file-system): Use 'close-fdes' + 'open-fdes'.
-rw-r--r--gnu/build/file-systems.scm15
1 files changed, 14 insertions, 1 deletions
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index b9d46c9350..0ed5dc5671 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -98,6 +98,18 @@ standard input is /dev/null."
system*/console)
program args))
+(define (call-with-input-file file proc)
+ "Like 'call-with-input-file', but pass O_CLOEXEC."
+ (let ((port #f))
+ (dynamic-wind
+ (lambda ()
+ (set! port (open file (logior O_RDONLY O_CLOEXEC))))
+ (lambda ()
+ (proc port))
+ (lambda ()
+ (close-port port)
+ (set! port #f)))))
+
(define (bind-mount source target)
"Bind-mount SOURCE at TARGET."
(mount source target "" MS_BIND))
@@ -1183,7 +1195,8 @@ corresponds to the symbols listed in FLAGS."
(not (file-is-directory? source)))
(unless (file-exists? target)
(mkdir-p (dirname target))
- (call-with-output-file target (const #t)))
+ (close-fdes
+ (open-fdes target (logior O_WRONLY O_CREAT O_CLOEXEC))))
(mkdir-p target))
(cond