Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set close-on-exec flagas to avoid FD leaks to subprocesses #220

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

jcarrano
Copy link
Contributor

@jcarrano jcarrano commented Dec 2, 2022

Description

These fixes prevent file descriptor leaks in my application. There may still be other potential leak sources in functions that my application does not use.

I tried to implement accept() using accept4() if it is available since that avoids a potential race condition. Same with fcntl(n,F_DUPFD_CLOEXEC,0) instead of dup().

There is no use case in which one would need to share libdill's epoll
file descriptor with a child process. Even if it was innocuous, it makes
automated checking difficult as one has to consider this special case.

Since libdill does not provide access to the internal epoll fd, the only
way to fix this is to change the source code itself.
This is necessary to avoid leaking file descriptors to child processes.

The implementation tries to use accept4 when available, since that sets the
flag atomically with the creation of the connected socket, and falls back
to accept()+fcntl if not.
The IPC and TPC subsystems call dill_fd_own which does not preserve the
file descriptor flags. This means that even if the user creates the sockets
with the proper flags, when they use "fromfd" the file descriptors will still be
leaked to child processes.

The implementation tries to use F_DUPFD_CLOEXEC if available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant