[Libguestfs] [PATCH 2/4] launch: appliance: Set FD_CLOEXEC flag on console socket.

[Richard W.M. Jones]

From: "Richard W.M. Jones" <rjones at redhat.com>

The earlier (pipe-based) code never set this flag, but that was a bug,
potentially allowing the file descriptor to be leaked to subprocesses.

Set the FD_CLOEXEC flag, but also ensure it is cleared in the child
process just before qemu is exec'd (otherwise qemu would not have a
console).
---
 src/launch-appliance.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/launch-appliance.c b/src/launch-appliance.c
index 4016d61..30c139e 100644
--- a/src/launch-appliance.c
+++ b/src/launch-appliance.c
@@ -33,6 +33,7 @@
 
 #include <pcre.h>
 
+#include "cloexec.h"
 #include "ignore-value.h"
 
 #include "guestfs.h"
@@ -235,7 +236,7 @@ launch_appliance (guestfs_h *g, const char *arg)
   }
 
   if (!g->direct) {
-    if (socketpair (AF_LOCAL, SOCK_STREAM, 0, sv) == -1) {
+    if (socketpair (AF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) {
       perrorf (g, "socketpair");
       goto cleanup0;
     }
@@ -484,6 +485,12 @@ launch_appliance (guestfs_h *g, const char *arg)
       close (1);
       close (sv[0]);
 
+      /* We set the FD_CLOEXEC flag on the socket above, but now (in
+       * the child) it's safe to unset this flag so qemu can use the
+       * socket.
+       */
+      set_cloexec_flag (sv[1], 0);
+
       /* Stdin. */
       if (dup (sv[1]) == -1) {
       dup_failed:
-- 
1.8.1.4