search for: sock_cloexec

...verts commit 25206df20275aeff346d9b86adf5e9be99cc9e43. > > An upcoming patch wants to ensure no leaked fds from the server to a > child process. POSIX has required O_CLOEXEC since 2008, and although > current POSIX doesn't yet specify full atomic interfaces everywhere > such as SOCK_CLOEXEC, it does have an open bug since 2014 [1] > recommending the full set of interfaces that will be mandatory in the > next revision of POSIX. Most modern OS have caught up to that (RHEL 6 > and FreeBSD 10 support SOCK_CLOEXEC, for example), and we're doing > ourselves a disservice by...

On 8/1/19 4:15 AM, Richard W.M. Jones wrote: > On Thu, Aug 01, 2019 at 10:06:01AM +0100, Richard W.M. Jones wrote: >> As far as I can see Haiku (hrev52698) has O_CLOEXEC but NOT >> SOCK_CLOEXEC. As this version is a little old I'll do an update and >> see if newer versions support it. > > I'm on hrev53313+1 which also doesn't appear to have SOCK_CLOEXEC (nor > does it have accept4). Ouch. Then I'm seriously thinking of a followup patch which either forces...

...#include <errno.h> #include <signal.h> #include <netdb.h> @@ -183,12 +184,12 @@ CONNECT_COMMAND.START: int sv[2]; pid_t pid; + int flags; assert (!h->sock); assert (h->argv); assert (h->argv[0]); - if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, - sv) == -1) { + if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) { SET_NEXT_STATE (%.DEAD); set_error (errno, "socketpair"); return -1; @@ -219,13 +220,27 @@ } /* Parent. */ + close (sv[1]); + h->pid = pid; + + /* The s...

...> generator/states-connect.c | 21 ++++++++++++++++++--- >> 1 file changed, 18 insertions(+), 3 deletions(-) >> > >> assert (!h->sock); >> assert (h->argv); >> assert (h->argv[0]); >> - if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, >> - sv) == -1) { >> + if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) { > > Is it any easier to keep SOCK_NONBLOCK here and then clear O_NONBLOCK in > the child process? It may matter if we try to port to a system that > lacks SOCK_CL...

This reverts commit 25206df20275aeff346d9b86adf5e9be99cc9e43. An upcoming patch wants to ensure no leaked fds from the server to a child process. POSIX has required O_CLOEXEC since 2008, and although current POSIX doesn't yet specify full atomic interfaces everywhere such as SOCK_CLOEXEC, it does have an open bug since 2014 [1] recommending the full set of interfaces that will be mandatory in the next revision of POSIX. Most modern OS have caught up to that (RHEL 6 and FreeBSD 10 support SOCK_CLOEXEC, for example), and we're doing ourselves a disservice by using silent fallbac...

This reverts commit 25206df20275aeff346d9b86adf5e9be99cc9e43, and temporarily breaks compilation on Haiku which has O_CLOEXEC but lacks SOCK_CLOEXEC [1]. An upcoming patch wants to ensure no leaked fds from the server to a child process. POSIX has required O_CLOEXEC since 2008, and that is long enough that we should start blindly relying on it. Meanwhile, POSIX doesn't yet specify full atomic interfaces everywhere (SOCK_CLOEXEC and accep...

On Thu, Aug 01, 2019 at 10:06:01AM +0100, Richard W.M. Jones wrote: > As far as I can see Haiku (hrev52698) has O_CLOEXEC but NOT > SOCK_CLOEXEC. As this version is a little old I'll do an update and > see if newer versions support it. I'm on hrev53313+1 which also doesn't appear to have SOCK_CLOEXEC (nor does it have accept4). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my...

...,18 @@ > > #include "guestfs-internal-actions.h" > > #include "guestfs_protocol.h" > > > > +/* Fixes for Mac OS X */ > > +#if defined __APPLE__ && defined __MACH__ > > +#include <sys/un.h> > > +#endif > > +#ifndef SOCK_CLOEXEC > > +# define SOCK_CLOEXEC O_CLOEXEC > > +#endif > > +#ifndef SOCK_NONBLOCK > > +# define SOCK_NONBLOCK O_NONBLOCK > > +#endif > > +/* End of fixes for Mac OS X */ > > + > > /* Check minimum required version of libvirt. The libvirt backend > >...

...a/src/launch-libvirt.c b/src/launch-libvirt.c index 1649884..ad07210 100644 --- a/src/launch-libvirt.c +++ b/src/launch-libvirt.c @@ -52,6 +52,7 @@ /* Fixes for Mac OS X */ #if defined __APPLE__ && defined __MACH__ #include <sys/un.h> +#include <sys/fcntl.h> #endif #ifndef SOCK_CLOEXEC # define SOCK_CLOEXEC O_CLOEXEC diff --git a/src/launch-unix.c b/src/launch-unix.c index 5cce9c1..f57910d 100644 --- a/src/launch-unix.c +++ b/src/launch-unix.c @@ -25,6 +25,10 @@ #include <string.h> #include <libintl.h> +#if defined __APPLE__ && defined __MACH__ +#include...

..._current_dir_name \ mkostemp \ diff --git a/common/utils/utils.c b/common/utils/utils.c index 9ac3443b..029b6685 100644 --- a/common/utils/utils.c +++ b/common/utils/utils.c @@ -140,13 +140,15 @@ exit_status_to_nbd_error (int status, const char *cmd) */ int set_cloexec (int fd) { -#if defined SOCK_CLOEXEC && defined HAVE_MKOSTEMP && defined HAVE_PIPE2 +#if (defined SOCK_CLOEXEC && defined HAVE_MKOSTEMP && defined HAVE_PIPE2 && \ + defined HAVE_ACCEPT4) nbdkit_error ("prefer creating fds with CLOEXEC atomically set"); close (fd); errno =...

...> error paths. > --- > generator/states-connect.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > assert (!h->sock); > assert (h->argv); > assert (h->argv[0]); > - if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, > - sv) == -1) { > + if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) { Is it any easier to keep SOCK_NONBLOCK here and then clear O_NONBLOCK in the child process? It may matter if we try to port to a system that lacks SOCK_CLOEXEC (SOCK_NONBLOCK and SOC...

...lse { > + /* --port parameter must be numeric for vsock, unless > + * /etc/services is extended but that seems unlikely. XXX > + */ > + if (nbdkit_parse_uint32_t ("port", port, &vsock_port) == -1) > + exit (EXIT_FAILURE); > + } > + > +#ifdef SOCK_CLOEXEC > + sock = socket (AF_VSOCK, SOCK_STREAM|SOCK_CLOEXEC, 0); > +#else > + /* Fortunately, this code is only run at startup, so there is no > + * risk of the fd leaking to a plugin's fork() > + */ > + sock = set_cloexec (socket (AF_VSOCK, SOCK_STREAM, 0)); Even better, al...

.... (Nothing like finding several other pre-requisite bugs to fix first before getting to my real goal...) Eric Blake (8): rate: Pass through delay failures server: Don't leave uninit variable on failure server: Add test for nbdkit_read_password Revert "RHEL 5: Define O_CLOEXEC and SOCK_CLOEXEC." cow, cache: Better mkostemp fallback server: Atomically set CLOEXEC on all fds filters: Set CLOEXEC on files opened during .config rate: Atomically set CLOEXEC on fds server/internal.h | 8 ---- filters/cache/blk.c | 19 ++++++++- filters/cow/blk.c...

...her printf("%m") works diff --git a/common/utils/utils.c b/common/utils/utils.c index 7b63b4d4..9ac3443b 100644 --- a/common/utils/utils.c +++ b/common/utils/utils.c @@ -140,13 +140,13 @@ exit_status_to_nbd_error (int status, const char *cmd) */ int set_cloexec (int fd) { -#if defined SOCK_CLOEXEC && defined HAVE_MKOSTEMP +#if defined SOCK_CLOEXEC && defined HAVE_MKOSTEMP && defined HAVE_PIPE2 nbdkit_error ("prefer creating fds with CLOEXEC atomically set"); close (fd); errno = EBADF; return -1; #else -# if defined SOCK_CLOEXEC || defined HAVE_M...

...7 Richard W.M. Jones wrote: > > On Thu, Feb 05, 2015 at 10:53:06PM +0000, Margaret Lewicka wrote: > > > +/* Fixes for Mac OS X */ > > > +#if defined __APPLE__ && defined __MACH__ > > > +#include <sys/un.h> > > > +#endif > > > +#ifndef SOCK_CLOEXEC > > > +# define SOCK_CLOEXEC O_CLOEXEC > > > +#endif > > > +#ifndef SOCK_NONBLOCK > > > +# define SOCK_NONBLOCK O_NONBLOCK > > > +#endif > > > +/* End of fixes for Mac OS X */ > > > + > > > /* Check minimum required version of...

...tch 10 on whether I've picked the best naming convention. Eric Blake (17): maint: Rename server/utils.c to server/public.c plugins: Expose more thread_model details in --dump-plugin server: Add utility functions for setting CLOEXEC and NONBLOCK Revert "RHEL 5: Define O_CLOEXEC and SOCK_CLOEXEC." build: Audit existing use of SOCK_CLOEXEC cow, cache: Better mkostemp fallback build: Audit for use of pipe2 rate: Atomically set CLOEXEC on fds server: Use atomic CLOEXEC for nbdkit_read_password plugins: Add .fork_safe field server: Atomically set CLOEXEC on accept fds filt...

..., SO_REUSEADDR, [1], 4) = 0 <0.000015> 28636 10:33:49 bind(6, {sa_family=AF_INET, sin_port=htons(6493), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.000012> 28636 10:33:49 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 7 <0.000017> 28636 10:33:49 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 8 <0.000012> 28636 10:33:49 connect(8, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) <0.000016> 28636 10:33:49 close(8) = 0 <0.000016> 28636 10:33:49 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 8 <...

As the start of work to add remote support, I'm taking a close look at the protocol layer in the library. These are some small cleanups. Rich.

On Fri, Aug 02, 2019 at 02:26:11PM -0500, Eric Blake wrote: > Allow a plugin field to declare whether a parallel plugin can tolerate > windows where fds are not CLOEXEC, or must take precautions to avoid > leaking fds if the plugin may fork. For safety reasons, the flag > defaults to off, but many in-tree plugins can set it to on (most > commonly because they don't fork after

Error out early if the path to the socket will not fit into sockaddr_un::sun_path, as we will not be able to connect to it. --- src/launch-unix.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/launch-unix.c b/src/launch-unix.c index 740c554..973e14b 100644 --- a/src/launch-unix.c +++ b/src/launch-unix.c @@ -47,6 +47,12 @@ launch_unix (guestfs_h *g, void *datav, const char