libc: Use SOCK_CLOEXEC for various internal file descriptors.

This change avoids undesirably passing some internal file descriptors to a
process created (fork+exec) by another thread.

Kernel support for SOCK_CLOEXEC was added in r248534, March 19, 2013.

4 files changed, 12 insertions, 9 deletions

diff --git a/lib/libc/net/getaddrinfo.c b/lib/libc/net/getaddrinfo.c
index c6af6d8..495ebc1 100644
--- a/lib/libc/net/getaddrinfo.c
+++ b/lib/libc/net/getaddrinfo.c
@@ -831,7 +831,8 @@ set_source(struct ai_order *aio, struct policyhead *ph)
 	get_port(&ai, "1", 0);
 
 	/* open a socket to get the source address for the given dst */
-	if ((s = _socket(ai.ai_family, ai.ai_socktype, ai.ai_protocol)) < 0)
+	if ((s = _socket(ai.ai_family, ai.ai_socktype | SOCK_CLOEXEC,
+	    ai.ai_protocol)) < 0)
 		return;		/* give up */
 	if (_connect(s, ai.ai_addr, ai.ai_addrlen) < 0)
 		goto cleanup;
@@ -1131,7 +1132,7 @@ explore_null(const struct addrinfo *pai, const char *servname,
 	 * filter out AFs that are not supported by the kernel
 	 * XXX errno?
 	 */
-	s = _socket(pai->ai_family, SOCK_DGRAM, 0);
+	s = _socket(pai->ai_family, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (s < 0) {
 		if (errno != EMFILE)
 			return 0;
@@ -1541,18 +1542,19 @@ addrconfig(struct addrinfo *pai)
 	 */
 	af = pai->ai_family;
 	if (af == AF_UNSPEC) {
-		if ((s = _socket(AF_INET6, SOCK_DGRAM, 0)) < 0)
+		if ((s = _socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0)) < 0)
 			af = AF_INET;
 		else {
 			_close(s);
-			if ((s = _socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+			if ((s = _socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC,
+			    0)) < 0)
 				af = AF_INET6;
 			else
 				_close(s);
 		}
 	}
 	if (af != AF_UNSPEC) {
-		if ((s = _socket(af, SOCK_DGRAM, 0)) < 0)
+		if ((s = _socket(af, SOCK_DGRAM | SOCK_CLOEXEC, 0)) < 0)
 			return 0;
 		_close(s);
 	}
diff --git a/lib/libc/net/if_nametoindex.c b/lib/libc/net/if_nametoindex.c
index 89076c0..8f04921 100644
--- a/lib/libc/net/if_nametoindex.c
+++ b/lib/libc/net/if_nametoindex.c
@@ -68,7 +68,7 @@ if_nametoindex(const char *ifname)
 	struct ifaddrs *ifaddrs, *ifa;
 	unsigned int ni;
 
-	s = _socket(AF_INET, SOCK_DGRAM, 0);
+	s = _socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (s != -1) {
 #ifdef PURIFY
 		memset(&ifr, 0, sizeof(ifr));
diff --git a/lib/libc/net/name6.c b/lib/libc/net/name6.c
index 118e033..97880a2 100644
--- a/lib/libc/net/name6.c
+++ b/lib/libc/net/name6.c
@@ -235,7 +235,7 @@ getipnodebyname(const char *name, int af, int flags, int *errp)
 	if (flags & AI_ADDRCONFIG) {
 		int s;
 
-		if ((s = _socket(af, SOCK_DGRAM, 0)) < 0)
+		if ((s = _socket(af, SOCK_DGRAM | SOCK_CLOEXEC, 0)) < 0)
 			return NULL;
 		/*
 		 * TODO:
@@ -868,7 +868,8 @@ set_source(struct hp_order *aio, struct policyhead *ph)
 	}
 
 	/* open a socket to get the source address for the given dst */
-	if ((s = _socket(ss.ss_family, SOCK_DGRAM, IPPROTO_UDP)) < 0)
+	if ((s = _socket(ss.ss_family, SOCK_DGRAM | SOCK_CLOEXEC,
+	    IPPROTO_UDP)) < 0)
 		return;		/* give up */
 	if (_connect(s, (struct sockaddr *)&ss, ss.ss_len) < 0)
 		goto cleanup;
diff --git a/lib/libc/net/nscachedcli.c b/lib/libc/net/nscachedcli.c
index b4de0c1..2ceacb7 100644
--- a/lib/libc/net/nscachedcli.c
+++ b/lib/libc/net/nscachedcli.c
@@ -200,7 +200,7 @@ __open_cached_connection(struct cached_connection_params const *params)
 
 	assert(params != NULL);
 
-	client_socket = _socket(PF_LOCAL, SOCK_STREAM, 0);
+	client_socket = _socket(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	client_address.sun_family = PF_LOCAL;
 	strncpy(client_address.sun_path, params->socket_path,
 	    sizeof(client_address.sun_path));