Set CLOEXEC option to sockets

hostinet/socket.go: the Sentry doesn't spawn new processes, but it doesn't hurt to protect the socket from leaking. unet/unet.go: should be setting closing on exec. The FD is explicitly donated to children when needed. PiperOrigin-RevId: 200135682 Change-Id: Ia8a45ced1e00a19420c8611b12e7a8ee770f89cb
author: Fabricio Voznika <fvoznika@google.com> 2018-06-11 16:44:56 -0700
committer: Shentubot <shentubot@google.com> 2018-06-11 16:45:50 -0700
commit: ea4a468fbaacd55597ce89e3eabd2bb42746427b (patch)
tree: c64597a674bab1ad962c1abe8f456fc1e73a63b0 /pkg/unet
parent: ab2c2575d61266725ce13dff570663464a171342 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/unet/unet.go b/pkg/unet/unet.go
index 59b6c5568..f4800e0d9 100644
--- a/pkg/unet/unet.go
+++ b/pkg/unet/unet.go
@@ -201,7 +201,7 @@ func (s *Socket) enterFD() (int, bool) {
 // SocketPair creates a pair of connected sockets.
 func SocketPair(packet bool) (*Socket, *Socket, error) {
 	// Make a new pair.
-	fds, err := syscall.Socketpair(syscall.AF_UNIX, socketType(packet), 0)
+	fds, err := syscall.Socketpair(syscall.AF_UNIX, socketType(packet)|syscall.SOCK_CLOEXEC, 0)
 	if err != nil {
 		return nil, nil, err
 	}
author	Fabricio Voznika <fvoznika@google.com>	2018-06-11 16:44:56 -0700
committer	Shentubot <shentubot@google.com>	2018-06-11 16:45:50 -0700
commit	ea4a468fbaacd55597ce89e3eabd2bb42746427b (patch)
tree	c64597a674bab1ad962c1abe8f456fc1e73a63b0 /pkg/unet
parent	ab2c2575d61266725ce13dff570663464a171342 (diff)