aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2022-09-12 14:29:45 +0200
committerLudovic Courtès <ludo@gnu.org>2022-09-13 00:31:04 +0200
commit66fdaf3677e5f7833a02096a2bcb1e9653efbb16 (patch)
treea44aeda93ebf6535b21654f8be3ec113aa38931a /gnu
parent32583c8c20b1b55b3d5289af691791749edd5e6f (diff)
downloadguix-66fdaf3677e5f7833a02096a2bcb1e9653efbb16.tar.gz
guix-66fdaf3677e5f7833a02096a2bcb1e9653efbb16.zip
services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & co.
Fixes a bug introduced with the Shepherd 0.9.2 upgrade in commit 1ba0e38267c9ff8bb476285091be6e297bbf136e whereby files opened by, say, the 'start' method of 'urandom-seed', could leak into the execution environment of some other service--e.g., 'term-tty4'. * gnu/services/shepherd.scm (shepherd-configuration-file)[config]: Override 'call-with-input-file' and 'call-with-output-file'.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/services/shepherd.scm25
1 files changed, 25 insertions, 0 deletions
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index a8f6db9ce2..61f759a19d 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -344,6 +344,31 @@ as shepherd package."
(use-modules (srfi srfi-34)
(system repl error-handling))
+ (define (call-with-file file flags proc)
+ (let ((port #f))
+ (dynamic-wind
+ (lambda ()
+ (set! port (open file flags)))
+ (lambda ()
+ (proc port))
+ (lambda ()
+ (close-port port)
+ (set! port #f)))))
+
+ ;; There's code run from shepherd that uses 'call-with-input-file' &
+ ;; co.--e.g., the 'urandom-seed' service. Starting from Shepherd
+ ;; 0.9.2, users need to make sure not to leak non-close-on-exec file
+ ;; descriptors to child processes. To address that, replace the
+ ;; standard bindings with O_CLOEXEC variants.
+ (set! call-with-input-file
+ (lambda (file proc)
+ (call-with-file file (logior O_RDONLY O_CLOEXEC)
+ proc)))
+ (set! call-with-output-file
+ (lambda (file proc)
+ (call-with-file file (logior O_WRONLY O_CREAT O_CLOEXEC)
+ proc)))
+
;; Specify the default environment visible to all the services.
;; Without this statement, all the environment variables of PID 1
;; are inherited by child services.