tools/xl: Open xldevd.log with O_CLOEXEC

`xl devd` has been observed leaking /var/log/xldevd.log into children.

Note this is specifically safe; dup2() leaves O_CLOEXEC disabled on newfd, so
after setting up stdout/stderr, it's only the logfile fd which will close on
exec().

Link: https://github.com/QubesOS/qubes-issues/issues/8292
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Acked-by: Anthony PERARD <anthony.perard@vates.tech>
Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>

diff --git a/tools/xl/xl_utils.c b/tools/xl/xl_utils.c
index 17489d182954f04da5ff2a5ecad43c44a8abab38..b0d23b2cdb8a8b94192b02ff0a243775abd9fd26 100644 (file)
--- a/tools/xl/xl_utils.c
+++ b/tools/xl/xl_utils.c
@@ -27,6 +27,10 @@
 #include "xl.h"
 #include "xl_utils.h"
 
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
 void dolog(const char *file, int line, const char *func, const char *fmt, ...)
 {
     va_list ap;
@@ -270,7 +274,7 @@ int do_daemonize(const char *name, const char *pidfile)
         exit(-1);
     }
 
-    CHK_SYSCALL(logfile = open(fullname, O_WRONLY|O_CREAT|O_APPEND, 0644));
+    CHK_SYSCALL(logfile = open(fullname, O_WRONLY | O_CREAT | O_APPEND | O_CLOEXEC, 0644));
     free(fullname);
     assert(logfile >= 3);