diff options
author | Ludovic Courtès <ludo@gnu.org> | 2022-09-08 14:30:19 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2022-09-08 16:22:21 +0200 |
commit | e05f7c55d78b90062aad26d8badc689ea72fe88b (patch) | |
tree | 0957e51f72037f1928877517355f5013efe96f14 | |
parent | 8f53630f2f11a77e2b6ec2058d0626651286bf95 (diff) | |
download | guix-e05f7c55d78b90062aad26d8badc689ea72fe88b.tar.gz guix-e05f7c55d78b90062aad26d8badc689ea72fe88b.zip |
file-systems: Open files with O_CLOEXEC.
Since this code is run from PID 1, this ensures file descriptors to
sensitive files and devices are not accidentally leaked to
sub-processes.
* gnu/build/file-systems.scm (call-with-input-file): New procedure.
(mount-file-system): Use 'close-fdes' + 'open-fdes'.
-rw-r--r-- | gnu/build/file-systems.scm | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index b9d46c9350..0ed5dc5671 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -98,6 +98,18 @@ standard input is /dev/null." system*/console) program args)) +(define (call-with-input-file file proc) + "Like 'call-with-input-file', but pass O_CLOEXEC." + (let ((port #f)) + (dynamic-wind + (lambda () + (set! port (open file (logior O_RDONLY O_CLOEXEC)))) + (lambda () + (proc port)) + (lambda () + (close-port port) + (set! port #f))))) + (define (bind-mount source target) "Bind-mount SOURCE at TARGET." (mount source target "" MS_BIND)) @@ -1183,7 +1195,8 @@ corresponds to the symbols listed in FLAGS." (not (file-is-directory? source))) (unless (file-exists? target) (mkdir-p (dirname target)) - (call-with-output-file target (const #t))) + (close-fdes + (open-fdes target (logior O_WRONLY O_CREAT O_CLOEXEC)))) (mkdir-p target)) (cond |